IndexLift SEO Auditor

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a coherent SEO auditing skill that runs a local Node.js crawler against user-specified URLs and writes local reports, with no artifact-backed evidence of credential abuse, exfiltration, or deception.

Before installing, make sure you are comfortable running npm install and a local Node.js script, and only audit URLs you own or are authorized to test. The generated JSON and Markdown reports may contain page details from the audited site, so store them appropriately.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill's npm dependencies runs a normal software setup process on the user's machine.

Why it was flagged

The skill is not purely instruction-only in practice: it asks the user to install npm dependencies and run bundled Node.js code. This is disclosed and aligned with the SEO-audit purpose, but users should notice the setup step.

Skill content

compatibility:
  requires:
    - node
    - npm
...
npm install
node scripts/run-audit.js --url "https://example.com"

Recommendation

Install only in the expected skill directory and review package.json/package-lock.json if your environment has strict dependency policies.

Low

#ASI05: Unexpected Code Execution

What this means

Running the audit executes local JavaScript code and third-party npm libraries to fetch, parse, score, and report on pages.

Why it was flagged

The package defines a local Node.js audit command and dependencies. Local code execution is central to this tool's purpose and is not hidden, but it is still a capability users should be aware of.

Skill content

"scripts": {
  "audit": "node scripts/run-audit.js"
},
"dependencies": {
  "chalk": "^5.0.0",
  "cheerio": "^1.2.0",
  "dayjs": "^1.11.0",
  "fast-xml-parser": "^5.5.1",
  "fs-extra": "^11.0.0"
}

Recommendation

Run it in a normal user account, avoid elevated privileges, and keep npm dependency installation consistent with the included lockfile.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The audited website will receive crawler requests from the user's environment, especially if crawl mode is used.

Why it was flagged

The tool fetches robots.txt, sitemaps, and page URLs, and can crawl multiple same-origin pages up to configured limits. This is expected for SEO auditing, but it means the skill generates outbound web traffic.

Skill content

const robots = await fetchRobots(origin);
const sitemaps = await fetchSitemaps(origin, robots);
...
response = await fetchWithRedirects(current.url);
...
while (queue.length > 0 && pages.length < maxPages)

Recommendation

Use single-page mode by default, enable crawl mode only for authorized sites, and confirm the target URL before running.