ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEO Analyzer by G0atbot

v1.0.0

Analyze website SEO including meta tags, headings, content, keywords, competitor comparison, site audits, and ranking checks for free.

0· 195·0 current·0 all-time
by@g0atfac3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md promises keyword research, ranking checks (Brave Search API), competitor analysis, and JS-rendering via a browser. The bundled code (seo-analyzer.js) only fetches a page over HTTP(S) and performs static HTML parsing and basic heuristics. There is no code calling any search API, no Brave Search usage, and no browser automation. The skill therefore does not provide many of the advertised capabilities and is misleading about what it actually needs/does.
!
Instruction Scope
Runtime instructions reference tools (web_fetch, web_search, browser) and an external Brave Search API, but neither the SKILL.md nor the code provides real steps to obtain or use that API. The Node script only fetches target pages and prints analysis. Instructions giving the agent latitude to use web_search/browser are broader than what the shipped code implements — this grants the agent discretion to call platform search/browser tools that are outside the script's scope.
Install Mechanism
No install spec and only a single small JS file are included. There are no downloads, external install URLs, or package installs that would persist arbitrary code to disk beyond the provided file. This is low risk from an installation mechanism perspective.
Credentials
The skill declares no required environment variables or credentials, and the code does not access any secrets. However SKILL.md lists a 'Brave Search API' requirement that is not declared in requires.env and not implemented in code — either the documentation is incorrect or the skill expects the agent/platform to provide that API key at runtime. That mismatch should be clarified before trusting ranking/keyword features.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills or system configuration, and does not declare any elevated privileges. default autonomous invocation is allowed (platform default) and is not by itself concerning here.
What to consider before installing
The skill appears to be a simple static HTML SEO checker (the included JS fetches pages and analyzes markup), but its docs promise search-based ranking, keyword research, and browser-rendered SPA analysis that the code does not implement. Before installing: 1) Ask the publisher how keyword/ranking lookups and Brave Search API access are actually performed and why no API key is declared. 2) Treat the skill as incomplete or misleading — test it in a sandbox to confirm behavior. 3) If you need ranking/keyword features, prefer skills that explicitly declare required credentials/install steps or use a vetted provider. 4) Because the skill could rely on agent-provided web_search/browser tools at runtime, be cautious about sensitive targets you ask it to analyze and verify network activity if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d4y22d3cn2vdjh54t982fks82v9av

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments