Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
RankForge
v1.0.0SEO analysis and optimization via RankForge API — site audits, keyword research, competitor analysis, ranking reports. Use when user needs SEO analysis, keyw...
⭐ 0· 278·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md, description, and the included script all align with an SEO analysis API client (site audits, keyword research, etc.). However, the registry metadata declares no required environment variables or primary credential while both SKILL.md and scripts expect RANKFORGE_API_KEY or RANKFORGE_EMAIL (and optionally RANKFORGE_API_URL). That metadata mismatch is inconsistent and should have been declared.
Instruction Scope
Instructions tell the agent to POST site URLs and analysis requests to https://anton.vosscg.com. Nothing in the instructions asks the agent to read local files or other unrelated system state. However, the skill will transmit user-provided URLs and any JSON payloads to a third-party endpoint; users should consider privacy of the data sent.
Install Mechanism
No install spec; the skill is instruction-only with a small helper bash script. No archives or external installers are downloaded, so there's no filesystem install risk from the registry package itself.
Credentials
Although registry metadata lists no required env vars, both SKILL.md and scripts require RANKFORGE_API_KEY or RANKFORGE_EMAIL and optionally read RANKFORGE_API_URL. This undeclared credential requirement is disproportionate to the metadata and reduces transparency. The script also echoes the retrieved API key to stderr ("✅ Free key: $API_KEY"), which can leak secrets into logs.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system-wide settings, and does not write persistent config. Autonomous invocation is allowed (platform default) but is not by itself a new risk here.
What to consider before installing
This skill appears to be a small client for an SEO API and will send URLs and any provided JSON to https://anton.vosscg.com. Before installing or using it: (1) verify the service/provider (no homepage is listed and the domain is unverified); (2) be aware you must supply RANKFORGE_API_KEY or RANKFORGE_EMAIL even though the registry metadata omits these — treat any API keys or emailed signup tokens as sensitive; (3) avoid sending sensitive site content or credentials to the third party; (4) note the helper script prints the API key to stderr which can leak to logs — consider removing that line or running in a controlled environment; (5) if you need stronger assurance, ask the publisher for a homepage/company info, an explicit requires.env listing, and a privacy/security policy for data submitted to the API.Like a lobster shell, security has layers — review code before you run it.
latestvk977e67wakmjw898f9qafp65fs826h63
License
MIT-0
Free to use, modify, and redistribute. No attribution required.