Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SEO to HTML Maker (via Kanban Plugin)
v1.0.1A complete end-to-end SEO content pipeline that instructs your OpenClaw agent to research topics, write EEAT-compliant markdown, and render a styled HTML web...
⭐ 0· 184·0 current·0 all-time
byJoey.Z@joeyzzyy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims only to be an instruction-only SEO Markdown→HTML pipeline, but the SKILL.md explicitly requires a companion plugin (openclaw plugins install claw-kanban) and a Dashboard API key from teammate.work. The manifest lists no required env vars or credentials, yet runtime behavior depends on an external plugin and cloud dashboard — this is a mismatch between declared requirements and what the workflow actually needs.
Instruction Scope
Instructions direct the agent to create Kanban cards, move cards to Done, and attach the final .html as an artifact to a cloud dashboard. That implies uploading content (potentially sensitive) to an external service. The SKILL.md does not limit what content is uploaded and gives the agent autonomy to perform cloud-tracking actions; it also instructs the user to run a plugin install command locally. These data-transmission steps are outside a simple local Markdown→HTML conversion and are not declared in the skill metadata.
Install Mechanism
There is no install spec in the skill bundle itself, but the SKILL.md requires installing a separate OpenClaw plugin via 'openclaw plugins install claw-kanban'. Installing an external plugin is a reasonable design choice, but because the plugin will (per the doc) perform Markdown-to-HTML conversion and cloud tracking, you must trust the plugin's source. The skill points to a GitHub repo (https://github.com/Joeyzzyy/claw-kanban) which is helpful — the plugin should be audited before use.
Credentials
The declared requirements list zero environment variables or credentials, but the README instructs the user to 'Get your free Dashboard API Key' from teammate.work. That key is effectively required for the dashboard integration/visualization but is not declared in the skill metadata. Requesting an API key for an external service is proportionate to dashboard features, but the lack of declaration and the potential to upload content without explicit transparency is a red flag.
Persistence & Privilege
The skill is not marked always:true and does not request persistent or system-wide modifications in its own files — it's instruction-only. Autonomous invocation is enabled (default) but not a unique concern here; the larger concern is the external plugin the skill asks you to install.
What to consider before installing
This skill asks you to install a separate plugin and to get a Dashboard API key that the skill metadata does not declare. Before installing or using it: (1) Inspect the claw-kanban plugin source on GitHub and the OpenClaw plugin registry entry to verify maintainers and recent activity; (2) Review what data the plugin uploads to teammate.work and read that service's privacy/security docs — avoid sending private or regulated content; (3) Use a throwaway/dashboard key or a sandbox environment for initial testing; (4) If you only need local Markdown→HTML conversion, consider using a local library/tool (pandoc, a static site generator, or an internal script) instead of enabling cloud tracking; (5) If you decide to proceed, confirm the plugin's network endpoints, required permissions, and whether it stores artifacts persistently. These steps will reduce the risk of unintended data exfiltration.Like a lobster shell, security has layers — review code before you run it.
latestvk97cxj238xew8tnq20ktb9383h839mn5seovk97acjehs3rqpm65y7t0tf494n82tjqf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌐 Clawdis