ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

url-structure

v1.1.0

When the user wants to optimize URL structure, fix URL issues, or plan URL hierarchy. Also use when the user mentions "URL structure," "URL optimization," "s...

0· 49·0 current·0 all-time
byKostja Zhang@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md content all focus on URL structure and SEO best practices. There are no unrelated required binaries, environment variables, or install steps — the requested capabilities align with the stated purpose.
!
Instruction Scope
The runtime instructions explicitly tell the agent to 'read' project context files (.claude/project-context.md or .cursor/project-context.md) if they exist to gather site structure. That file access is reasonable for site-specific recommendations, but the SKILL.md references local project files that are not declared in the skill's metadata (required config paths). Any instruction that reads local files should be called out in the metadata so users know what will be accessed. Otherwise the instructions are scoped to URL analysis and related SEO tasks and do not direct data to external endpoints beyond included benign references.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is the lowest-risk install mechanism — nothing is written to disk by an install step.
Credentials
The skill requests no environment variables, credentials, or external config paths in its metadata. However, the SKILL.md does instruct reading local project files for context. While these files are relevant to the skill's purpose, the access is not declared in requires.config or similar metadata, creating a minor proportionality/documentation mismatch.
Persistence & Privilege
always is false, the skill has no install step, and it does not request persistent system privileges or modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation: false) is the platform default and is not in itself a new risk here.
What to consider before installing
This skill appears to do what it says — SEO-focused URL structure advice — and it does not require credentials or install anything. Before enabling it: (1) Inspect any local project-context files (.claude/project-context.md, .cursor/project-context.md) the skill would read and remove or sanitize sensitive data; (2) If you want explicit guarantees, ask the skill author to declare those config paths in the skill metadata so file access is transparent; (3) If you run agents on sensitive codebases, test the skill in a non-sensitive environment first; (4) Note the skill references other related skills (url-slug-generator, canonical-tag) — those are not installed automatically, so check how/when the agent will call them. If you are comfortable with the skill reading project-context files for tailored advice, the risk is low; if not, avoid installing or remove/sanitize those files first.

Like a lobster shell, security has layers — review code before you run it.

latestvk973aztjbm92eypm1348fd4xnh849ekq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments