Skillv0.1.0

ClawScan security

Technical Seo Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 12:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only technical SEO auditing skill whose declared requirements and actions are consistent with its stated purpose (no credentials, no installers, just templates and prompts).
Guidance: This skill is instruction-only and internally coherent, but exercise normal caution before enabling automated connectors. If you plan to let the agent run automatic crawls or query PageSpeed Insights / Search Console / a CDN, those connectors will require separate API keys or account access — only provide least-privilege tokens and prefer read-only credentials. Because the published source/homepage are not provided, treat this as community content: if provenance matters to you, prefer installing skills from authors/projects you trust or verifying the skill bundle on disk before use. If you only need a manual audit, the skill will work by having you paste robots.txt, sitemap, PageSpeed reports, and URLs — no credentials needed.

Review Dimensions

Purpose & Capability: okThe skill's name and description match what the SKILL.md actually does: guidance and templates for crawlability, indexability, page speed, mobile friendliness, security headers, structured data and related checks. It does not request unrelated binaries, environment variables, or file-system access.
Instruction Scope: noteThe SKILL.md is an instruction-only audit workflow and asks the agent to fetch robots.txt, sitemap, PageSpeed reports, etc. It explicitly describes two modes: (A) automated operation “with web crawler / page speed tool / CDN connected” and (B) manual operation where the user supplies reports and site data. The skill itself provides no connector code and declares no credentials — so in practice the agent will either (1) prompt the user for the required files/reports or (2) rely on platform-level connectors if they exist. This is coherent, but be aware that enabling automated connectors would require separate credentials or integrations not declared here.
Install Mechanism: okNo install spec and no code to run — the skill is purely instructional and adds nothing to disk or PATH. This is the lowest-risk install model.
Credentials: okThe skill declares no environment variables, no primary credential, and no config paths. That is proportionate to an instruction-only auditor that either (a) asks the user to paste reports or (b) uses external connectors which would be configured separately.
Persistence & Privilege: okThe skill does not request persistent presence (always: false) and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed by platform default, but nothing in the skill raises additional privilege concerns.