Description

Autonomously monitors and optimizes WordPress sites with SEO fixes, performance audits, A/B testing, security, and competitor tracking.

README (SKILL.md)

Auto-Claw — Autonomous WordPress Operations Agent

Name: Auto-Claw
Author: xiongmao11132

What is This?

Auto-Claw is an autonomous AI agent that manages WordPress sites 24/7. It doesn't just monitor — it executes fixes, runs A/B tests, and optimizes continuously.

Features (19 Capabilities)

AI-Native Site Operations

SEO Scanner & Fixer — 40+ point audit, WP-CLI fixes, Schema.org injection
Performance Diagnostic — Core Web Vitals, TTFB, cache analysis
Content Auditor — E-E-A-T scoring, readability analysis
Image Optimizer — Compression analysis, lazy loading checks

Conversion Flywheel

A/B Testing Engine — Bayesian significance, multi-variant
Exit Intent Popup — Geo-targeted intervention
Journey Personalizer — Segment-based content
Smart Landing Pages — High-conversion page generator
Dynamic FAQ — Schema.org FAQPage generator

Global Operations Center

GEO Targeting — IP-based dynamic pricing/content
Competitor Monitor — Price/content change alerts
Campaign Switcher — Black Friday/618/双11 auto-activation
AI Content Generator — E-E-A-T optimized blog posts

Security Architecture

Vault — Credentials never touch AI context
Gate Pipeline — Destructive actions require approval
Soft Deletes — Everything recoverable
Full Audit Log — JSONL trail

Requirements

WordPress 5.8+ (self-hosted)
PHP 7.4+ / 8.x
WP-CLI installed
SSH access (optional, for full capabilities)
Redis (optional, for object caching)

Installation

# Clone the project
git clone http://github.com/YOUR_ORG/auto-company
cd auto-company/projects/auto-claw

# Run full site audit
python3 cli.py full-audit --url http://yoursite.com --web-root /var/www/html

# Start autonomous monitoring
python3 cli.py monitor --continuous

Quick Demo

# 19 capabilities demo (2 minutes)
python3 demo_complete.py

# Single capability
python3 cli.py seo
python3 cli.py performance
python3 cli.py ab-test
python3 cli.py competitor

Live Example

Real WordPress site running Auto-Claw:

URL: http://linghangyuan1234.dpdns.org
SEO Score: 85/100
Performance: 64/100
A/B Tests: 1 active
Competitor Monitor: 3 competitors tracked

Pricing

Plan	Price	Includes
Starter	$500/mo	SEO + Performance + Daily Audits
Growth	$1,000/mo	+ A/B Testing + Competitor + GEO
Enterprise	$2,000/mo	All 19 capabilities + AI Content

Beta: Free for first 10 D2C brands.

Files

auto-claw/
├── cli.py              # Unified CLI (19 commands)
├── demo_complete.py    # All 19 capabilities demo
├── status.sh           # Quick status check
├── dashboard.html      # Visual dashboard
├── README.md          # Full documentation
├── QUICKREF.md       # CLI quick reference
├── src/
│   ├── seo.py
│   ├── performance_diag.py
│   ├── ab_tester.py
│   ├── competitor_monitor.py
│   ├── geo_targeting.py
│   ├── cache_optimizer.py
│   └── ...
└── docs/
    ├── hn-launch-draft.md    # Launch story
    ├── gtm-outreach-templates.md  # Sales templates
    └── one-pager.md         # Investor one-pager

Security

Credentials stored in Vault, never exposed to AI
Destructive actions (delete, core updates) require human approval
Full JSONL audit trail
Soft deletes — nothing is permanently removed

Use Cases

D2C Brands — Automate SEO, run A/B tests, monitor competitors
WP Agencies — Manage multiple client sites autonomously
Solo Founders — Get a "24/7 employee" for WordPress ops

Support

GitHub Issues: Report bugs, request features
Beta Application: http://yoursite.com/auto-claw-beta-application/

Usage Guidance

This package contains a complete toolchain that can modify WordPress files, install plugins, run WP-CLI, create cron jobs and run continuous monitoring. Before installing or running it: - Do not run install.sh or monitor/demo scripts on production. Test inside an isolated staging VM or container. - Inspect install.sh, logs/*.sh and all scripts for subprocess calls and network endpoints; search for subprocess/exec/popen usage. - Confirm Vault usage: if you will provide VAULT_TOKEN or other secrets, verify the vault manager code (lib/vault/manager.py, src/vault.py) to ensure secrets are not printed, shipped, or sent to external endpoints. - The registry lists no required env vars but code expects VAULT_* and WP_SITES — ask the author to update metadata and explain exact credentials needed. - Keep pipeline.require_approval enabled and test the Gate pipeline to ensure HIGH-risk actions require manual approval. - Review audit logging (logs/audit.jsonl) and retain/forward logs to a secure location you control. - If you cannot audit the code yourself, avoid granting SSH keys, Vault tokens, or writing to /var/www/html on production. Consider running the tool in read-only mode first and only approve changes after manual review. If the author can supply an updated manifest declaring required env vars, install steps, and an explanation of approval/audit enforcement, confidence in safety would increase.

Capability Analysis

Type: OpenClaw Skill Name: auto-claw Version: 1.0.0 Auto-Claw is a comprehensive WordPress management suite that performs SEO, performance, and growth operations. It is classified as suspicious due to high-risk execution patterns, specifically the use of subprocess.run(shell=True) with string-formatted commands in cli.py and src/wordpress.py, which are vulnerable to shell injection. Additionally, scripts like weekly-report.sh use 'wp eval' to execute arbitrary PHP code on the target site. While these capabilities are aligned with the tool's stated purpose of autonomous site management, the combination of broad system access, SSH key handling, and insecure command construction represents a significant security risk without clear evidence of intentional malice.

Capability Assessment

ℹ Purpose & Capability

Functionality in the bundle (src/wordpress.py, seo, performance, ab_tester, vault/pipeline/audit, CLI, demos, cron scripts) aligns with the stated purpose of managing and optimizing WordPress sites. However the registry metadata claims no required env vars/configs while the code and SKILL.md clearly expect configuration (VAULT_* env vars, WP_SITES, web-root paths, and optional ClawhHub token). That mismatch is unexpected and should be clarified.

⚠ Instruction Scope

SKILL.md instructs cloning a repo and running python3 cli.py full-audit and python3 cli.py monitor --continuous, and the demo/quickref recommend cron jobs and status scripts. The CLI and many source files include code that can read site HTML, SSH/WD access (WP-CLI), run WP-CLI fixes, install plugins, and write files. The instructions therefore authorize wide filesystem and network actions (including continuous autonomous monitoring and scheduled tasks) which are consistent with the purpose but very powerful — ensure approval gating and audit behavior are enforced in practice.

ℹ Install Mechanism

There is no formal install spec in registry (instruction-only), but the skill bundle includes an install.sh, scripts, and many code files. That is not necessarily malicious, but the presence of install scripts and cron recommendations means the package can modify the host environment if executed — review install.sh and any shell scripts before running. The SKILL.md clone URL is a placeholder (http://github.com/YOUR_ORG/auto-company) and some docs reference npx, a package.json and pyproject — multiple ways to install/run exist but none are declared in metadata.

⚠ Credentials

Registry metadata declares no required environment variables or config paths, but the code reads and depends on environment variables and secrets (examples: VAULT_ENABLED, VAULT_URL, VAULT_TOKEN, WP_SITES, and a ClawhHub `--token` mention). The config module explicitly looks for VAULT_TOKEN and WP_SITES. Asking for Vault tokens or SSH/web-root access would be proportionate to the claimed capabilities, but the metadata should declare these. The mismatch increases the chance of accidental credential exposure or misconfiguration.

ℹ Persistence & Privilege

The skill does not request always:true, but instructions and demo scripts encourage running a persistent monitor (python3 cli.py monitor --continuous) and installing cron entries (logs/audit-daily.sh). If run on a host, this creates a persistent agent that can change files and schedule jobs. That is expected for this kind of tool, but it raises operational risk — ensure the Gate pipeline truly blocks destructive operations and audit logging is enabled and reviewed.

Version History

v1.0.0

Auto-Claw 1.0.0 — Initial Release - Launches autonomous WordPress operations agent with 19 AI-powered capabilities for site management, optimization, and monitoring. - Features include SEO scanning/fixes, performance diagnostics, content auditing, image optimization, A/B testing, GEO targeting, competitor tracking, and dynamic content tools. - Robust security: credentials isolation, approval gates for destructive actions, soft deletes, and full JSONL audit logging. - Unified CLI supports all features, with demo scripts and dashboard included. - Beta available to first 10 D2C brands.

Metadata

Slug auto-claw

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Auto-Claw?

Autonomously monitors and optimizes WordPress sites with SEO fixes, performance audits, A/B testing, security, and competitor tracking. It is an AI Agent Skill for Claude Code / OpenClaw, with 119 downloads so far.

How do I install Auto-Claw?

Run "/install auto-claw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Auto-Claw free?

Yes, Auto-Claw is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Auto-Claw support?

Auto-Claw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Auto-Claw?

It is built and maintained by Xiongmao11132 (@xiongmao11132); the current version is v1.0.0.

More Skills

Auto-Claw