ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEO Ranker

v1.0.0

Performs end-to-end SEO audit and on-page optimization by analyzing live SERP, competitor content, backlink data, and generating actionable rewrite guidance.

0· 718·1 current·1 all-time
byHagen Hoferichter@h4gen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for h4gen/seo-ranker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SEO Ranker" (h4gen/seo-ranker) from ClawHub.
Skill page: https://clawhub.ai/h4gen/seo-ranker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: BRAVE_API_KEY, MATON_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY
Required binaries: node, npx, summarize, uvx
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install seo-ranker

ClawHub CLI

Package manager switcher

npx clawhub@latest install seo-ranker
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to orchestrate SERP, summarization, gateway APIs, and markdown conversion — required binaries (node, npx, summarize, uvx) and listed upstream skills align with that purpose. However the registry metadata lists four different model API keys (OPENAI/ANTHROPIC/XAI/GEMINI) as required even though the SKILL.md states only one summarize-model key is needed. Requesting all model keys is disproportionate to the stated orchestration role.
Instruction Scope
SKILL.md is instruction-only and stays within SEO workflow: fetch SERP, summarize competitors, check data-gateway, convert content to Markdown, and produce rewrites. It asks for content file paths and may read user-supplied content (expected). A surprising behavioral detail: when users ask for a 14-day Semrush trial the skill asks for an affiliate/referral URL — this is non-essential promotional behavior that should be disclosed to users. The mandatory behavior to always return a MissingAPIKeys section is explicit and not inherently malicious, but it does increase the chance the skill will enumerate and report which keys are missing/present.
Install Mechanism
The skill has no install spec and contains only runtime instructions. It instructs the agent/user to run 'npx -y clawhub@latest install ...' to pull and install upstream skills. Using npx/npm is common and traceable, but it means network downloads will occur at install-time; there is no packaged code in the skill bundle to inspect. This is expected but raises the normal supply-chain risk (npm packages will be executed at the user's environment).
!
Credentials
Metadata declares BRAVE_API_KEY and MATON_API_KEY (appropriate) but also lists OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, and GEMINI_API_KEY as required. SKILL.md says only one summarize-model key is needed. Requiring multiple LLM provider keys up-front is disproportionate: the skill should accept a single chosen provider. This mismatch increases credential blast radius and may trick users into providing more secrets than necessary. Preflight checks concatenate model keys in a wc -c call — harmless by itself but inconsistent with the 'one key' requirement.
Persistence & Privilege
No always:true, no required config paths, no code written into the package (instruction-only). The skill does not request persistent system-wide changes or elevated privileges in the shown instructions. Autonomous invocation is allowed (disable-model-invocation:false) but that is platform default and not by itself a red flag.
What to consider before installing
What to consider before installing or providing keys: - Ask the publisher to clarify which API keys are mandatory versus optional. SKILL.md states only one summarize-model key is needed, but the registry metadata lists four model keys as required. Only give the single model key you plan to use (principle of least privilege). - Verify you trust clawhub and the upstream packages that will be installed via 'npx clawhub@latest'; installation will pull code from npm at runtime. If you need to audit code, request a packaged release or run installation in a sandbox first. - MATON_API_KEY and BRAVE_API_KEY are expected for the described features; do not supply unrelated cloud credentials. Consider creating scoped/test accounts or tokens with limited permissions for integration testing. - Be aware the skill may ask for an affiliate/referral URL for Semrush trials — that's promotional and not required for SEO functionality. Decide whether you want that behavior. - Because this skill is instruction-only (no inspectable code), prefer to run it in an isolated environment or request an explicit data-flow diagram showing which external endpoints receive content and which keys are transmitted. If the publisher can (1) correct the metadata to list only required keys, (2) document exact external endpoints the skill calls, and (3) provide an explicit install artifact or audited upstream package list, my confidence in the skill's coherence would increase.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📈 Clawdis
Binsnode, npx, summarize, uvx
EnvBRAVE_API_KEY, MATON_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, XAI_API_KEY, GEMINI_API_KEY
latestvk971wer0bn2d96vja58wtgtn11814d36
718downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
Hagen Hoferichter@h4gen
latest
Download

Purpose

Run a complete SEO ranking diagnosis and optimization pipeline:

  1. inspect live SERP competition,
  2. compare competitor content structure with user content,
  3. enrich with difficulty/backlink data when API access exists,
  4. produce concrete rewrite guidance and an optimized Markdown draft.

This is an orchestration skill. It does not replace upstream tools.

Required Installed Skills

  • brave-search (inspected latest: 1.0.1)
  • summarize (inspected latest: 1.0.0)
  • api-gateway (inspected latest: 1.0.29)
  • markdown-converter (inspected latest: 1.0.0)

Install/update:

npx -y clawhub@latest install brave-search
npx -y clawhub@latest install summarize
npx -y clawhub@latest install api-gateway
npx -y clawhub@latest install markdown-converter
npx -y clawhub@latest update --all

Verify:

npx -y clawhub@latest list

Required Credentials

  • BRAVE_API_KEY (for brave-search)
  • MATON_API_KEY (for api-gateway)
  • One summarize model key:
    • OPENAI_API_KEY, or
    • ANTHROPIC_API_KEY, or
    • XAI_API_KEY, or
    • GEMINI_API_KEY

Optional:

  • FIRECRAWL_API_KEY (for difficult page extraction via summarize)
  • APIFY_API_TOKEN (for YouTube fallback in summarize)

Preflight:

echo "$BRAVE_API_KEY" | wc -c
echo "$MATON_API_KEY" | wc -c
echo "$OPENAI_API_KEY$ANTHROPIC_API_KEY$XAI_API_KEY$GEMINI_API_KEY" | wc -c

Mandatory behavior:

  • Never fail silently on missing keys.
  • Always return a MissingAPIKeys section with missing variables and blocked stages.
  • Continue with non-blocked stages and clearly mark output as Partial when necessary.

Inputs the LM Must Collect First

  • target_url
  • target_keyword (example: AI tools)
  • region_locale (country/language for SERP interpretation)
  • content_source (URL fetch, pasted text, or file path)
  • content_type (blog, category page, product page, landing page)
  • business_goal (traffic, leads, sales)
  • rewrite_scope (light, moderate, full)
  • data_provider_preference (semrush, ahrefs, gsc-only, none)

Do not run rewrite before keyword intent and content goal are explicit.

Tool Responsibilities

brave-search

Use for live SERP reconnaissance:

  • fetch top results for the target keyword,
  • identify top competitors and search intent patterns,
  • collect candidate URLs for deeper analysis.

Operational constraints from inspected skill:

  • requires BRAVE_API_KEY
  • supports content extraction with --content

summarize

Use for structured competitor content analysis:

  • summarize each top URL,
  • extract heading structure (H1-H4), topic coverage, entity frequency,
  • estimate content depth and rhetorical style differences.

Operational constraints from inspected skill:

  • requires one supported model API key
  • can use --extract-only, --json, and length controls

api-gateway

Use for external SEO data APIs only when active connections exist:

  • keyword difficulty,
  • backlink domains,
  • competitor link intersections,
  • search performance enrichments.

Operational constraints from inspected skill:

  • requires MATON_API_KEY
  • also requires active OAuth/connection per app (ctrl.maton.ai connection lifecycle)
  • API key alone does not grant third-party data access

Important capability note:

  • In the inspected api-gateway service list, semrush and ahrefs are not listed as native app names.
  • Use direct Semrush/Ahrefs integration only if user already has a working gateway connection path for those providers.
  • Otherwise fall back to available SEO apps (for example google-search-console) and manual competitor-link extraction.

markdown-converter

Use to normalize the user's own content into editable Markdown:

  • convert input documents/files to Markdown (uvx markitdown ...),
  • preserve headings/lists/tables for deterministic rewriting.

Canonical Causal Signal Chain

  1. Input Stage
  • user provides URL + target keyword (+ content source if needed).
  1. SERP Audit Stage (brave-search)
  • pull live SERP and identify top 3 competitors.
  • detect intent class (informational/commercial/transactional).
  1. Competitor Content Stage (summarize)
  • analyze top competitor URLs for:
    • heading hierarchy,
    • topical breadth and entities,
    • use of statistics/evidence,
    • sentence complexity and content length.
  1. Data Gate Stage (api-gateway)
  • check whether provider data can be retrieved.
  • if keyword difficulty/backlink data is unavailable, ask user for credentials/connection and continue with fallback path.

Required user-facing gate message format:

  • DataGateStatus: available / blocked
  • Reason: missing key, missing connection, or provider unsupported
  • Action: exact next step and link(s)

As of February 14, 2026:

  • Semrush advertises mainly 7-day toolkit trials on official pages.
  • Semrush 14-day trial language is mainly associated with some add-ons or partner offers.

When user requests a 14-day Semrush trial:

  • Ask for their preferred affiliate/referral URL first.
  • If none is provided, share official Semrush trial entry page: https://www.semrush.com/sem/.
  • Optionally share Ahrefs free path for verified sites: https://ahrefs.com/webmaster-tools.
  1. Optimization Stage (LLM rewrite)
  • rewrite user content for intent-match and topical completeness,
  • add natural related terms (LSI-style concept coverage),
  • improve title tag and meta description,
  • tighten heading structure and internal linking opportunities.
  1. Output Stage
  • deliver optimized Markdown,
  • deliver prioritized action list,
  • deliver at least 5 backlink source opportunities (with confidence labels).

Rewrite Policy

  • Preserve factual integrity (do not invent statistics or case studies).
  • Prefer semantic coverage over keyword stuffing.
  • Keep keyword usage natural and intent-aligned.
  • Add scannable structure (clear H2/H3, concise paragraphs, actionable bullets).

Output Contract

Always return:

  • SERPFindings

    • top competitors
    • observed intent pattern
    • structural/content gaps versus user page

  • DataGateStatus

    • provider requested
    • key/connection status
    • fallback mode selected

  • OptimizedMarkdown

    • full rewritten document
    • revised title and meta description

  • BacklinkOpportunities

    • 5 sources/domains used by competitors or high-fit alternatives
    • rationale per source
    • confidence (high|medium|low)

  • NextActions

    • concrete implementation checklist (ordered)

Quality Gates

Before final output, validate:

  • top competitor set is from live SERP, not memory
  • rewrite aligns with detected intent
  • no fabricated citations or fabricated backlink claims
  • keyword placement is natural (no spam repetition)
  • missing data dependencies are explicitly disclosed

If any gate fails, return Needs Revision with exact missing evidence.

Failure Handling

  • Missing BRAVE_API_KEY: return MissingAPIKeys, skip SERP stage, and request user-provided competitor URLs.
  • Missing summarize model key: return MissingAPIKeys, skip summarize stage, and provide structure-only audit from available snippets.
  • Missing MATON_API_KEY: return MissingAPIKeys, skip API-gateway enrichment, continue with on-page-only optimization.
  • Missing app connection in api-gateway (400): keep pipeline running in fallback mode and return exact connection setup steps.
  • Unsupported provider path (for example no Semrush/Ahrefs app connection): disclose limitation and fall back to GSC/manual mode.

Guardrails

  • Never claim guaranteed rankings.
  • Never represent fallback estimates as provider-verified metrics.
  • Never hide dependency failures.
  • Keep recommendations specific, measurable, and tied to observed SERP gaps.

Comments

Loading comments...