Skillv1.0.0

ClawScan security

Search Optimization Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 1:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to integrate with paid/public SEO APIs and to crawl sites, but provides no install, no code, and declares no API credentials—this mismatch is suspicious and needs clarification before use.
Guidance: This skill describes using paid/public SEO APIs and crawling websites but declares no API keys or config—ask the author for the source repository, a list of exact endpoints the agent will call, and which credentials it expects. Do not hand over API keys, tokens, or account passwords unless you trust the code and the destination endpoints. If you plan to use it: (1) require the skill to explicitly declare needed env vars and what they are used for, (2) run it with autonomous invocation disabled or in a sandboxed/limited environment until you review network calls, and (3) prefer a version with a public repo/release so you can inspect how API keys are used. If the author provides the missing details (explicit endpoints, required env vars, or a public code repository showing legitimate API usage), the assessment could be upgraded; until then treat this as suspicious.

Review Dimensions

Purpose & Capability: concernThe description promises real-data integrations (Google Keyword Planner, Ahrefs, SEMrush, Google Trends, PageSpeed Insights, Google Search Console, etc.) and site crawling/audits. However, the skill declares no required environment variables, no primary credential, and no config paths. Real use of those APIs requires API keys/accounts. The declared requirements do not match the stated capabilities.
Instruction Scope: noteThe SKILL.md instructs calling unspecified 'keyword_research API', 'site_crawl' (up to 100 pages), PageSpeed/Mobile tests, backlink analysis, and other external lookups. It does not instruct reading unrelated local files or environment variables, but it leaves critical details unspecified (which endpoints, where API keys come from, what external services are contacted). The instructions could cause the agent to attempt network calls or prompt the user for credentials at runtime.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That lowers installation risk, but the lack of code means the runtime behavior depends entirely on how the agent implements the steps and where it sends requests.
Credentials: concernThe skill's tasks (API-driven keyword research, PageSpeed, Ahrefs/SEMrush lookups, Search Console checks) normally require API keys/tokens. Yet requires.env and primary credential are empty. Either the skill expects the agent to have global credentials elsewhere (not declared), or it will prompt the user for sensitive keys at runtime—both are problematic and disproportionate to what's declared.
Persistence & Privilege: okalways is false and there are no install scripts or claims of modifying other skills or system settings. The skill does not request persistent elevated presence in the agent environment.