audit website for SEO, security, performance and 200+ other issues
ReviewAudited by ClawScan on May 10, 2026.
Overview
The website-audit purpose is coherent, but the skill also grants and encourages local code-editing and subagent-based fixes without clear approval or scope controls.
Install only if you trust the external squirrel CLI and are comfortable supervising its use. For normal audits, keep it report-only; explicitly approve any code edits, run fixes on a branch, and scan only sites you own or are authorized to test.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could move from auditing into changing local project files, potentially making broad or concurrent code changes the user did not expect from an audit skill.
The skill is advertised primarily as an audit/reporting tool, but it grants filesystem edit capability and instructs agents to apply fixes and use subagents without clearly scoped approval, path limits, or rollback guidance.
allowed-tools: Bash(squirrel:*) Read Edit Grep Glob ... You can apply fixes from an audit on the live site against the local code. ... take advantage of subagents to speed up implementation of fixes.
Use the skill in report-only mode unless you explicitly ask for fixes; require confirmation before edits, work on a branch, and limit changes to specific files or issues.
Security depends on trusting the separately installed squirrel CLI and its update/distribution channel.
The core functionality depends on an external CLI binary that is not included in the skill artifacts and was not scanned here.
This skill requires the squirrel CLI installed and in PATH. **Install:** [squirrelscan.com/download](https://squirrelscan.com/download)
Install the CLI only from the official source, verify its provenance where possible, and keep it updated.
Running scans against sites you do not control, or scanning too frequently, could create unwanted load or violate site policies.
Website crawling is expected for this skill, but the instructions encourage deep and frequent live-site scans while acknowledging possible performance impact.
SECOND SCAN should be a deep scan ... This scan can take longer and may impact the website's performance. ... You should re-audit as often as possible
Audit only websites you are authorized to test, start with shallow scans, and set reasonable crawl limits for production sites.
Audit results stored locally could contain sensitive information about a website or accidental secrets found during scanning.
The skill discloses local caching of audit data, and audits may include sensitive security findings such as leaked secrets.
There are three processes that you can run and they're all cached in the local project database ... **Security**: Leaked secrets, HTTPS usage, security headers, mixed content
Store audit projects securely, avoid sharing report files blindly, and clean up local audit databases when they contain sensitive findings.
If a website includes text that looks like instructions, an agent could misinterpret it unless the audit output is treated strictly as untrusted report data.
The reference documentation explicitly supports piping website-derived audit output directly into an AI agent, so untrusted website content may enter the agent context as data.
# Pipe directly to AI agent squirrel audit https://example.com --format llm | claude
Treat all crawled website content and report fields as untrusted input; do not let report text override the user's task or safety constraints.