Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Search Console Report
v1.1.1Generate comprehensive SEO analysis reports from Google Search Console data with PDF export. Use when the user wants to analyze search performance, get SEO i...
⭐ 0· 91·0 current·0 all-time
byGuangxianLiu@lgx-00
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md describes a generic Search Console report generator that authenticates with a Google Service Account and fetches data for arbitrary sites. The shipped code (gen_report.py) does not implement API calls or authentication; it reads data from /tmp/sc_detailed_data.json and uses a fixed SITE_NAMES mapping for specific domains (DingTalk sites). This mismatch means the code is not self-contained for the purpose described and is tailored to a small set of sites.
Instruction Scope
Runtime instructions ask the agent to prompt the user for a service-account key, perform JWT auth, call Search Console APIs, and accept user-provided site URLs. The code never reads a key or calls the network; instead it expects pre-fetched JSON in /tmp and ignores user-supplied site lists. That divergence expands agent responsibilities (it must fetch and write the JSON) but is not documented in the manifest, which is risky and confusing.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md recommends creating a Python venv and pip-installing reasonable packages (pyjwt, cryptography, requests, matplotlib, pandas, reportlab). Package list is proportionate to generating charts/PDFs. No remote downloads or extract steps are present in the manifest or code.
Credentials
SKILL.md legitimately requires a Google Service Account JSON key for Search Console access, but the package metadata lists no required env vars and the included code doesn't use the key. Additionally, gen_report.py writes output to a hardcoded path under /Users/admin/.accio/... and only supports a set of fixed SITE_NAMES — requesting a service account for arbitrary accounts but shipping code tailored to specific sites is disproportionate and unclear.
Persistence & Privilege
The skill is not marked always:true (good), but gen_report.py writes files to /tmp and to a hardcoded output path inside /Users/admin/.accio/accounts/... which targets a specific agent/project path. Hardcoded paths like this can overwrite files or expose data if the environment differs; the skill also assumes the agent or user will create /tmp/sc_detailed_data.json, increasing the agent's implicit duties.
What to consider before installing
Do not install or run this skill without clarifying how data is supplied. The instructions say the skill will authenticate to Google and fetch Search Console data, but the included script expects a pre-made /tmp/sc_detailed_data.json and uses hardcoded site names and a fixed output path (/Users/admin/.accio/...). Before using it: 1) ask the author whether the agent is expected to perform API calls and write /tmp/sc_detailed_data.json (the mismatch must be resolved); 2) avoid uploading or pasting your Google service-account JSON to unknown services — only place the key on a local machine you control; 3) review and modify gen_report.py to accept an explicit input-file path and output path (do not rely on hardcoded /Users/admin paths), and to remove or generalize SITE_NAMES; 4) run this in an isolated environment (dedicated VM/container) and inspect network activity to ensure no unexpected endpoints are contacted. The inconsistencies are likely poor packaging or assumptions about the runtime, but they could also lead to accidental data loss or leakage if you supply credentials without understanding the data flow.Like a lobster shell, security has layers — review code before you run it.
latestvk97ev931fdp0w77zzgx3x6xxen841eyr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.