PLS SEO Audit
v1.0.0Scan websites and content to identify SEO gaps, analyze meta tags, technical factors, keyword use, and provide competitor comparison insights.
⭐ 1· 1.9k·8 current·9 all-time
byMatt Valenta@mattvalenta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (SEO audit) aligns with the actions in SKILL.md: fetching pages, checking meta tags, running PageSpeed/Lighthouse, SSL checks, and content analysis. However, the instructions expect tools and libraries (curl, openssl, xmllint, npx/lighthouse, Python packages like requests, bs4, textstat) and API credentials (Google API key / Bearer token placeholders) while the registry metadata declares no required binaries, env vars, or dependencies. That mismatch is unexpected and reduces coherence.
Instruction Scope
SKILL.md tells the agent to make network requests to target sites and to Google APIs, run local CLI tools (openssl, xmllint, npx lighthouse), and execute Python snippets that use third-party libraries. It includes placeholders for YOUR_API_KEY and YOUR_TOKEN but gives no guidance on where those should come from. While the listed actions are appropriate for an SEO audit, the instructions rely on running external commands and executing code without describing how dependencies or credentials are provided — this could lead the agent to run unfamiliar tooling (e.g., npx) or attempt to fetch/install packages at runtime.
Install Mechanism
There is no install spec (instruction-only), which is low risk in itself. But because SKILL.md expects specific CLI tools and Python libraries, the absence of an install section or a declared dependency list is a gap: users/agents may need to install npm packages, system binaries, or pip packages manually. Calling 'npx' runs remote npm packages transiently, which can execute arbitrary code — this should be explicitly declared and justified.
Credentials
The registry metadata declares no required environment variables or primary credential, yet the instructions use placeholders for API keys and an Authorization Bearer token when calling Google APIs. That discrepancy means the skill may attempt to use credentials not listed by the skill metadata, increasing the chance of accidental credential exposure or misconfiguration. Otherwise, the skill does not request unrelated secrets.
Persistence & Privilege
The skill is not marked always: true and uses default invocation settings. It does not request persistent system-wide changes or modify other skills' configs in SKILL.md, so its requested level of presence appears appropriate.
What to consider before installing
This instruction-only SEO skill appears to do what it says, but several practical and security gaps are present. Before installing or using it: (1) confirm and supply missing dependencies and credentials explicitly — add required binaries (curl, openssl, xmllint, node/npx) and a pip requirements list (requests, beautifulsoup4, textstat) or install steps; (2) provide a secure place for API keys/tokens (do not paste them into chat) and ensure the skill metadata lists any required env vars; (3) be cautious about running 'npx lighthouse' because npx fetches and executes packages from npm at runtime — prefer a pinned, audited install or a vendor-provided binary; (4) verify network behavior: the skill will fetch arbitrary websites and call Google APIs, so ensure you trust the agent/runtime environment's network access and that no sensitive credentials will be sent to untrusted endpoints; (5) ask the publisher (or update the SKILL.md) to reconcile declared requirements with actual instructions (dependencies and credential needs) — that will make the skill coherent and safer to run.Like a lobster shell, security has layers — review code before you run it.
latestvk9714s2m08gkj08w33s1xk3bb981mkhq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.