Back to skill
Skillv1.0.0
ClawScan security
GEO Competitor Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewFeb 28, 2026, 7:53 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is mostly coherent and not obviously malicious, but the SKILL.md overclaims capabilities and references scripts/options that are not present—this mismatch is suspicious and worth clarifying before use.
- Guidance
- This skill appears to be a simple web scanner and is not requesting secrets, but there are important inconsistencies you should resolve before installing: - SKILL.md references additional scripts (scripts/analyze_page.py, scripts/bulk_scan.py) and CLI flags (--pages, --save-baseline, --compare-to) that are not included; ask the publisher for the missing files or an updated README. Running the documented commands as-is will fail or produce less functionality than described. - The included script performs HTTP GETs of whatever domains you supply. That is expected, but be mindful of legal/ToS issues and rate limits when scanning third-party sites; run against domains you own or have permission to scan and consider adding delays or respecting robots.txt. - The Python script requires requests and beautifulsoup4 but provides no installation instructions—install those packages in a sandboxed environment (virtualenv) before running. - The script’s scoring math and some heuristics are simplified/fragile (e.g., naive robots parsing and schema extraction); treat output as a rough signal and verify important findings manually. If you want to proceed safely: request the missing scripts or a corrected SKILL.md, run the scanner in a restricted environment, and review the code yourself (or ask for the author to supply tests/examples) before letting an agent invoke it autonomously.
Review Dimensions
- Purpose & Capability
- noteName/description (GEO competitor scanner) match the included scanner code's intent (fetch pages, check llms.txt, robots.txt, JSON-LD, headers, simple heuristics). The skill does not request unrelated credentials or system access. However the SKILL.md describes several features (page-level analyzer, bulk_scan, trend tracking, saving baselines, flags like --pages and --save-baseline) that the included script does not implement, which is an unexplained discrepancy.
- Instruction Scope
- concernSKILL.md instructs the agent to run multiple scripts (scripts/analyze_page.py, scripts/bulk_scan.py) and CLI flags (--pages, --save-baseline, --compare-to) that are referenced in the docs but are not present in the file manifest. The primary runtime file (scripts/scan_competitors.py) performs only HTTP fetches and local JSON-LD/header counts; it does not collect or transmit secrets or call external analytic endpoints. The mismatch between written instructions and actual code gives the agent broad, undefined discretion if followed literally.
- Install Mechanism
- okNo install spec (instruction-only skill with a bundled script). No installer downloads or archive extraction. The script requires third-party Python packages (requests, beautifulsoup4) but does not provide an install step—low risk but the dependency requirement is implicit.
- Credentials
- okThe skill declares no required environment variables, config paths, or credentials and the code does not read env vars. Network access is necessary to fetch public competitor pages (expected). There are no hidden credential requests or secrets handling.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent privileges. It does not modify other skills or system configuration. Autonomous invocation is allowed by platform default (no additional concern in isolation).