Skillv1.0.0

ClawScan security

SEO Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 2:19 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly contains benign SEO helper scripts, but there are multiple mismatches between the README/commands and the actual code (unused declared dependencies, command/flag name differences, and a truncated file), so the skill is inconsistent and should be validated before use.
Guidance: This skill appears to be a set of local Python SEO utilities, but there are several inconsistencies you should clear up before installing or using it: - Documentation vs code mismatch: SKILL.md promises URL-based meta tag analysis and lists commands (e.g., generate-meta) that don't map exactly to the shipped scripts. Expect some commands to fail or behave differently. - Unused dependencies: The README tells you to install 'requests' and 'beautifulsoup4' (libraries used for fetching/parsing web pages) but none of the included scripts import them. That suggests the package was intended to fetch remote pages but the implementation is missing or incomplete. - Truncated file: seo_analyzer.py in the bundle is truncated (ends mid-line). This likely makes the analyzer non-functional or crash at runtime. Recommendations: 1. Do not run this skill with elevated privileges or in an environment with sensitive data until you understand it. Running the scripts locally in an isolated environment (e.g., sandbox or disposable container) is safe for inspection. 2. Inspect and run each script manually (python3 scripts/*.py) with test inputs to confirm actual behavior. Check whether any network calls are made and whether outputs match your expectations. 3. Contact the author or source to get a corrected package or full source (the package appears incomplete). If you need URL fetching and HTML parsing, verify that the code uses requests/BeautifulSoup and review that code specifically for where it sends or stores data. 4. If you cannot validate the missing parts or the author is unavailable, prefer not to install this skill into agents that can be run against production websites or that have access to sensitive environments. Given the mismatches and the truncated file, treat this package as untrusted until the issues are resolved; the concerns look like sloppy packaging rather than active maliciousness, but the ambiguity warrants caution.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (keyword research, meta tag analysis, content scoring) matches the included Python scripts in spirit. However, SKILL.md claims the ability to 'analyze meta tags from a URL' while the meta analyzer only examines URL structure and does not fetch or parse remote pages. SKILL.md also references command names (e.g. generate-meta) that do not exactly match the scripts' CLI flags. These are capability/documentation mismatches rather than clear malicious behaviors.
Instruction Scope: concernSKILL.md instructs the agent to run commands against URLs and content (e.g. meta "https://example.com") implying remote fetching/parsing, but the included scripts do not perform HTTP requests or HTML parsing of remote pages. The instructions also recommend installing 'requests' and 'beautifulsoup4' (used for fetching and parsing) while the code does not import them. The main analyzer (seo_analyzer.py) appears truncated in the provided bundle (ends mid-line), which means the runtime behavior could be broken or incomplete. These inconsistencies could cause the agent to attempt to fetch content elsewhere or run commands that don't exist if the agent follows SKILL.md literally.
Install Mechanism: noteThere is no install spec (instruction-only style with local scripts). SKILL.md tells users to pip install requests and beautifulsoup4, but the shipped scripts do not use those libraries. No external downloads, release URLs, or extract/install steps are present in the manifest, which reduces supply-chain risk; however the declared dependencies are unnecessary for the provided code and should be reconciled.
Credentials: okThe skill does not request any environment variables, credentials, or config paths. No secrets or broad system access are required according to the manifest and code.
Persistence & Privilege: okThe skill is not marked 'always' and uses normal autonomous invocation defaults. It does not request persistent system-level privileges or attempt to modify other skills. No concerns here.