Back to skill
Skillv1.0.0
ClawScan security
seo-monitoring · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 4:28 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only SEO monitoring guide that is internally consistent with its stated purpose and does not request unexpected credentials or install actions, but it does recommend API usage and user-identifying tracking that you should handle carefully.
- Guidance
- This skill appears to be a benign, high-level guide for building SEO monitoring. Before using it: (1) be prepared to supply API credentials for GA4/GSC/Bing/Yandex yourself — prefer read-only or narrowly scoped tokens; (2) avoid sending personally-identifying user IDs to analytics unless you understand and control privacy/consent implications; (3) ask the publisher for clarification if you expect the skill to automate API calls (which credentials and scopes it needs, and how it stores them); and (4) if you plan to let the agent act autonomously, ensure it only receives credentials when you explicitly authorize them and that tokens have least privilege.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md content: it documents building an SEO data system (indexing, traffic, keywords, backlinks), benchmarks, and tooling. Nothing in the instructions requires access to unrelated systems.
- Instruction Scope
- noteInstructions are high-level guidance (metrics, workflows, API usage). They do not contain commands or file reads, but they explicitly recommend using GA4 user IDs and GSC API automation — which raises privacy considerations and implies the need for API credentials that the skill does not describe how to obtain or scope.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only), so nothing will be written to disk or automatically downloaded during install.
- Credentials
- noteThe skill declares no required env vars or credentials, yet it recommends integrating with GA4, GSC, Bing/Yandex APIs and sending User ID to GA4. In practice those integrations will require API keys and permission scopes; the skill simply assumes they exist rather than declaring or restricting them.
- Persistence & Privilege
- okalways is false and there is no install or configuration that requests permanent presence or modifies other skills. The skill can be invoked by the agent, which is the normal behavior.