Skillv1.0.0

ClawScan security

AI SEO Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 6:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill advertises enterprise, real-time Google-backed SEO analysis and live competitor data, but the bundled code only uses local/mock data and makes no external API/web requests—so its advertised capabilities are misleading.
Guidance: This package appears safe from malware or credential exfiltration (no network calls, no env/credential usage), but it is misleading: marketing/README promise real-time, Google-based analytics while the code uses simulated/mock data and placeholder responses. Before installing or paying: 1) ask the author for details about real data sources and which APIs (and credentials) will be used; 2) request proof of live SERP integrations or sample runs against real sites; 3) if you test it, run in an isolated environment and verify whether it performs any network I/O (npm sandbox, network monitor); 4) be cautious about the commercial pricing and placeholder support/contact URLs (support@example.com, docs.example.com) — they look like stubs. If you need genuine real-time SEO data, prefer a skill that explicitly documents which external APIs it calls and what credentials it requires.

Review Dimensions

Purpose & Capability: concernThe name/description and SKILL.md claim '基于最新 Google 算法', '实时竞争分析' and '实时搜索/报告' which imply network calls and integration with search/analytics providers. However, the code (web-search._performSearch, content-analyzer._fetchContent, rank-tracker._getRanking, etc.) returns simulated/mock data and contains no HTTP/network calls, no API client code, and no requirement for API keys. That mismatch means the implementation cannot deliver the real-time, data-driven capabilities the marketing claims promise.
Instruction Scope: noteThe SKILL.md usage examples match the functions exported by index.js/SEOEngine (analyze, keywordResearch, optimizeContent, trackRankings, suggestInternalLinks). The runtime instructions don't ask the agent to read unrelated files or secrets. One inconsistency: metadata said 'No install spec — instruction-only', but the package includes multiple JS source files (not actually instruction-only).
Install Mechanism: okNo install script or external downloads. The package is pure Node.js source with no declared dependencies and no install-time network retrieval — low install risk.
Credentials: okThe skill declares no required environment variables, no credentials, and the code does not read process.env. This is proportionate to the provided (local/simulated) functionality. Note: if you expect real Google or SERP integration, the skill currently lacks the API keys/credentials that would be needed.
Persistence & Privilege: okSkill does not request persistent elevated privileges; flags show always:false and agent-autonomy defaults. The code stores only in-memory maps for caches/histories and does not modify other skills or system config.