Affiliate Link Injector
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect matches or overbroad execution could add unwanted affiliate links, disclosures, or tracking URLs to live posts.
The skill advertises direct mutation of WordPress posts/pages and auto-insertion of affiliate links, which can change public content and monetization behavior.
**WordPress** (direct post/page injection via REST API) ... one-click approval button to auto-inject links
Use this only on drafts or backed-up content, require explicit approval for each post/change, and keep a rollback copy before publishing updates.
A broadly scoped key could allow unintended edits or account access beyond the immediate affiliate-linking task.
The example asks the user to provide a WordPress REST API key, which may grant access to read or modify website content, without clear least-privilege guidance.
WordPress URL: https://myblog.com API key: [your WordPress REST API key]
Use a narrowly scoped, revocable application password or token; avoid pasting long-lived admin credentials; revoke the key after use.
Users may rely on generated disclosures as legally sufficient even when their jurisdiction, platform, or affiliate program requires different wording or placement.
The skill makes strong legal-compliance assurances without showing review provenance or limits, which could lead users to over-trust generated disclosures.
Generates legally-reviewed disclosure statements ... Legal-safe (covers all affiliate relationships)
Treat disclosure text as a draft and have compliance/legal requirements verified before using it on public content.
Draft content, monetization strategy, or compliance notes could be shared with connected workspaces or providers.
The skill discloses third-party document and messaging integrations that may receive content excerpts, reports, or link suggestions.
**Google Docs** (scan and suggest links for approval) - **Slack** (send compliance reports and link suggestions)
Confirm which accounts/workspaces are connected and avoid sending confidential drafts unless those destinations are intended.