Back to skill
Skillv1.0.0
ClawScan security
Ahrefs MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 14, 2026, 4:41 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (accessing Ahrefs via MCP); it is instruction-only, requests no unrelated credentials, and points to official Ahrefs endpoints and docs.
- Guidance
- This skill appears coherent and focused on Ahrefs queries. Before installing: 1) Confirm you have an Ahrefs account and understand any API unit / plan limits (large queries can consume paid units). 2) Use the official OAuth/authorization flow — do not paste your raw API key into untrusted places. 3) Review the permissions requested at connect time and revoke the MCP connection from your Ahrefs account if you later want to disconnect. 4) If you consider the optional local MCP server, verify the referenced GitHub repo is the official ahrefs/ahrefs-mcp-server repository and inspect its code before deploying. 5) If you have sensitive data in queries, remember responses will come from Ahrefs and may include domain/backlink data; do not expose account credentials to third parties. Overall: installation is reasonable provided you trust Ahrefs and monitor API usage.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md and reference files: the skill is explicitly about querying Ahrefs via the Model Context Protocol (MCP). Required resources (none declared) and the runtime instructions only reference Ahrefs endpoints and Ahrefs account setup, which is proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md and references focus on formulating Ahrefs queries, setup, and workflows. They do not instruct reading unrelated files, accessing unrelated environment variables, or exfiltrating data to third-party endpoints. The only external endpoints are Ahrefs domains and an optional GitHub repo for enterprise local-server setup.
- Install Mechanism
- okInstruction-only skill with no install spec and no code shipped. The only install-like guidance is an optional git clone of an Ahrefs GitHub repo for enterprise local MCP, which is sensible and points to a standard GitHub location. No downloads from unknown hosts or extractable archives are present.
- Credentials
- okNo environment variables, credentials, or config paths are requested in metadata. The references appropriately state that you must authorize an Ahrefs account (OAuth/API key) via Ahrefs' own UI; that is expected and proportional for this integration.
- Persistence & Privilege
- okSkill does not request always:true, does not require system config changes, and has no declared persistence or elevated privileges. It relies on the Ahrefs authorization flow and per-account API keys, which is appropriate.