IndexNow Setup
PassAudited by ClawScan on May 12, 2026.
Overview
This skill does what it says: it creates and runs an IndexNow submission script that sends a site’s sitemap URLs and IndexNow key to the official IndexNow endpoint.
This appears safe for its stated purpose. Before using it, confirm the site URL and key are correct, ensure the key file is intentionally public, and review the sitemap so you do not submit private or unintended URLs to search engines.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script will notify IndexNow-supported search engines about every URL found in the site sitemap.
The script submits the site host, IndexNow key, key location, and all sitemap URLs to the IndexNow API. This is external network activity, but it directly matches the skill’s stated purpose.
const body = JSON.stringify({ host, key: INDEXNOW_KEY, keyLocation: `${SITE_URL.replace(/\/$/, "")}/${INDEXNOW_KEY}.txt`, urlList: urls, }); ... fetch("https://api.indexnow.org/IndexNow", { method: "POST",Only run it for websites you control, and check that the sitemap does not contain private or unintended URLs before submitting.
The key authorizes URL submission for the matching site and is included in the API request.
The script accepts an IndexNow key from a CLI argument or environment variable. This is documented in SKILL.md and is expected for the protocol, though users should provide only a key for a site they control.
const INDEXNOW_KEY = process.argv[3] || process.env.INDEXNOW_KEY;
Use a site-specific IndexNow key and avoid reusing unrelated secrets or credentials as the key.