Back to skill
Skillv1.0.1
ClawScan security
canonical-tag · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 6, 2026, 1:42 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only SEO helper that is internally consistent with its stated purpose (advising on canonical tags) and does not request credentials, installs, or unrelated system access.
- Guidance
- This skill is a lightweight, instruction-only SEO helper and appears coherent for canonical URL guidance. Before installing or granting the agent access, check whether your workspace contains '.claude/project-context.md' or '.cursor/project-context.md' and remove any sensitive information from those files if you don't want the skill to read it. Because the skill can be invoked by the agent, consider whether you want autonomous access enabled for agents that may call it; otherwise you can invoke it manually. No credentials or external installers are required, so risk is low.
Review Dimensions
- Purpose & Capability
- okName and description (canonical URL / duplicate content guidance) match the SKILL.md content: the file provides practical checks, rules, and implementation snippets for canonical tags, redirects, and HTTPS. There are no unexpected binaries, credentials, or unrelated capabilities requested.
- Instruction Scope
- noteInstructions are narrowly scoped to canonicalization tasks and include reading local project context if present ('.claude/project-context.md' or '.cursor/project-context.md') to obtain the site URL and language structure. Reading those specific project-context files is reasonable for this skill's purpose, but the instructions do imply the agent will access workspace files — users should confirm those files do not contain sensitive secrets they wouldn't want exposed to the agent.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). This minimizes risk because nothing is downloaded or written to disk by an installer.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The guidance does not instruct the agent to access unrelated environment variables or external credentials.
- Persistence & Privilege
- okThe skill is not always-on and uses default invocation settings. It can be invoked autonomously by the agent (platform default), but it does not request elevated or persistent privileges and does not modify other skills or system-wide configuration.