ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEO Ranker

v1.0.0

Performs end-to-end SEO audit and on-page optimization by analyzing live SERP, competitor content, backlink data, and generating actionable rewrite guidance.

0· 651·1 current·1 all-time
byHagen Hoferichter@h4gen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to orchestrate SERP, summarization, gateway APIs, and markdown conversion — required binaries (node, npx, summarize, uvx) and listed upstream skills align with that purpose. However the registry metadata lists four different model API keys (OPENAI/ANTHROPIC/XAI/GEMINI) as required even though the SKILL.md states only one summarize-model key is needed. Requesting all model keys is disproportionate to the stated orchestration role.
Instruction Scope
SKILL.md is instruction-only and stays within SEO workflow: fetch SERP, summarize competitors, check data-gateway, convert content to Markdown, and produce rewrites. It asks for content file paths and may read user-supplied content (expected). A surprising behavioral detail: when users ask for a 14-day Semrush trial the skill asks for an affiliate/referral URL — this is non-essential promotional behavior that should be disclosed to users. The mandatory behavior to always return a MissingAPIKeys section is explicit and not inherently malicious, but it does increase the chance the skill will enumerate and report which keys are missing/present.
Install Mechanism
The skill has no install spec and contains only runtime instructions. It instructs the agent/user to run 'npx -y clawhub@latest install ...' to pull and install upstream skills. Using npx/npm is common and traceable, but it means network downloads will occur at install-time; there is no packaged code in the skill bundle to inspect. This is expected but raises the normal supply-chain risk (npm packages will be executed at the user's environment).
!
Credentials
Metadata declares BRAVE_API_KEY and MATON_API_KEY (appropriate) but also lists OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, and GEMINI_API_KEY as required. SKILL.md says only one summarize-model key is needed. Requiring multiple LLM provider keys up-front is disproportionate: the skill should accept a single chosen provider. This mismatch increases credential blast radius and may trick users into providing more secrets than necessary. Preflight checks concatenate model keys in a wc -c call — harmless by itself but inconsistent with the 'one key' requirement.
Persistence & Privilege
No always:true, no required config paths, no code written into the package (instruction-only). The skill does not request persistent system-wide changes or elevated privileges in the shown instructions. Autonomous invocation is allowed (disable-model-invocation:false) but that is platform default and not by itself a red flag.
What to consider before installing
What to consider before installing or providing keys: - Ask the publisher to clarify which API keys are mandatory versus optional. SKILL.md states only one summarize-model key is needed, but the registry metadata lists four model keys as required. Only give the single model key you plan to use (principle of least privilege). - Verify you trust clawhub and the upstream packages that will be installed via 'npx clawhub@latest'; installation will pull code from npm at runtime. If you need to audit code, request a packaged release or run installation in a sandbox first. - MATON_API_KEY and BRAVE_API_KEY are expected for the described features; do not supply unrelated cloud credentials. Consider creating scoped/test accounts or tokens with limited permissions for integration testing. - Be aware the skill may ask for an affiliate/referral URL for Semrush trials — that's promotional and not required for SEO functionality. Decide whether you want that behavior. - Because this skill is instruction-only (no inspectable code), prefer to run it in an isolated environment or request an explicit data-flow diagram showing which external endpoints receive content and which keys are transmitted. If the publisher can (1) correct the metadata to list only required keys, (2) document exact external endpoints the skill calls, and (3) provide an explicit install artifact or audited upstream package list, my confidence in the skill's coherence would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk971wer0bn2d96vja58wtgtn11814d36

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📈 Clawdis
Binsnode, npx, summarize, uvx
EnvBRAVE_API_KEY, MATON_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY

Comments