ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

indexnow

v1.0.1

When the user wants to implement IndexNow, notify search engines of new/updated URLs, or speed up Bing indexing. Also use when the user mentions "IndexNow,"...

0· 50·0 current·0 all-time
byKostja Zhang@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (IndexNow / notify search engines) align with the SKILL.md content: it explains key generation, verification file, single/batch submission, CI integration, and best practices. The requested actions are coherent with implementing IndexNow.
!
Instruction Scope
The instructions explicitly tell the agent to check for and read .claude/project-context.md or .cursor/project-context.md to discover the site URL, but the skill metadata does not declare any required config paths. Reading arbitrary project files is out-of-band for a capability that otherwise needs only a site URL; additionally the guide instructs creating a verification file on the site's root (which implies write/deploy access). These file-read/write expectations should be declared and consented to.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest install risk (nothing downloaded or written by the installer).
Credentials
The skill requests no environment variables or credentials in metadata (good). However, it instructs generating an API key and creating a verification file; that workflow implies the agent/operator will create and host secrets on the target site. Because the skill also asks the agent to read project-context files (undeclared), there is a proportionality mismatch between declared env/config access (none) and runtime file access described in SKILL.md.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills. It does suggest CI/CD integration and running npm scripts, but that is typical for the task and not an elevated platform privilege.
What to consider before installing
This skill is generally coherent for implementing IndexNow, but it asks the assistant to read local project-context files (.claude/project-context.md or .cursor/project-context.md) even though no config paths are declared. Before installing or invoking it, verify what those project-context files contain (they can include private URLs, tokens, or other sensitive info) and prefer to provide the site URL yourself rather than allowing automated file reads. Also be cautious about any step that requires writing a verification file to your live site or running CI scripts — perform those steps manually or review generated scripts before running them. Because this is instruction-only (no install), the technical risk is lower, but the file-read/write expectation should be explicit and consented to.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amctd0gv7npvk0ac82s0mpn84bwfe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments