← 返回 Skills 市场
Website Auditor
作者
maverick-software
· GitHub ↗
· v1.0.0
413
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install website-auditor
功能描述
Audit any website across 8 quality signals to determine if it is outdated, broken, or neglected. Returns a structured audit dict used by the lead-scorer skill.
安全使用建议
This skill appears to implement a reasonable website auditor, but there are a few practical and privacy issues you should resolve before installing:
- Metadata mismatch: SKILL.md declares a required environment variable (PAGESPEED_API_KEY) and lists Python packages, yet the registry entry lists no required env or install steps. Ask the publisher to correct the registry metadata or provide a clear install spec so you know what the skill needs and why.
- Dependencies: The skill imports non-standard Python packages (Wappalyzer, python-whois, lxml). If your agent environment doesn't already have these, the skill will fail. Prefer an install spec (pip/packaging) or run the skill in a sandboxed environment.
- Raw HTML disclosure: The skill returns raw_html and documents it will be consumed by another skill. That can leak sensitive content (forms, tokens in page markup, private data). Confirm how downstream skills handle that data and whether you are comfortable with the coupling.
- Credential handling: Only provide a PAGESPEED_API_KEY if you trust the skill. The key is appropriate for the feature, but the registry mismatch means the platform may not prompt you to supply it.
- Network activity: The skill performs active network probes (HTTP fetches, SSL cert checks, whois, third-party API calls). If you need to limit outbound network access, run this skill in a restricted/sandboxed context.
If you cannot get clarification from the publisher, consider treating the skill as untrusted: run it in an isolated environment, do not supply privileged credentials, and audit any downstream consumers that will receive raw_html.
功能分析
Type: OpenClaw Skill
Name: website-auditor
Version: 1.0.0
The skill's stated purpose is to audit websites, and its core functionality aligns with this. However, the `audit_website_async` function in `SKILL.md` uses `aiohttp.TCPConnector(ssl=False)` when fetching website content. This disables SSL certificate verification for the underlying connection, making the client vulnerable to Man-in-the-Middle attacks during the initial data fetch. While a separate `check_ssl` function attempts to verify the target site's SSL, the `raw_html` and headers could be compromised during the `aiohttp` request, representing a critical security vulnerability rather than intentional malicious behavior.
能力评估
Purpose & Capability
The declared runtime actions (HTTP checks, Wappalyzer tech detection, PageSpeed API, whois/SSL checks) are coherent with a website audit. However the skill's SKILL.md metadata lists required packages and an environment variable (PAGESPEED_API_KEY) while the registry entry shows no required env vars or install steps — that's an inconsistency that could cause the skill to fail or hide needed permissions.
Instruction Scope
Instructions stay within the stated purpose (fetch page, analyze HTML/headers, detect tech, query PageSpeed). Two things to flag: (1) the skill returns raw_html in the output and explicitly notes it's used by another skill (contact-enrichment), which means page content may be forwarded to other components — a privacy/exfiltration risk depending on downstream handling; (2) the SKILL.md contains network/socket operations (requests, Wappalyzer, whois, SSL checks) which are expected but should be understood as active network probes.
Install Mechanism
This is instruction-only with no install spec. SKILL.md lists Python packages (requests, beautifulsoup4, lxml, python-Wappalyzer, python-whois) but there is no platform-level install instruction. That means the runtime must already provide these packages or the skill will fail. Absence of an install spec is a practical/operational risk and increases likelihood of silent failures.
Credentials
The only credential referenced in SKILL.md is PAGESPEED_API_KEY, which is proportionate for calling Google PageSpeed API. The registry metadata, however, does not declare this required env var — the mismatch is concerning because users/platforms won't be warned to supply the key, and the skill may behave differently if the key isn't present.
Persistence & Privilege
No elevated persistence requested (always:false). The skill is user-invocable and can be invoked autonomously (platform default) but it does not request system-level config changes or cross-skill configuration edits in the provided instructions.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install website-auditor - 安装完成后,直接呼叫该 Skill 的名称或使用
/website-auditor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Audits websites across all 8 quality signals: HTTP status, copyright year, Last-Modified header, Wappalyzer tech stack, Google PageSpeed score, mobile responsiveness, SSL certificate, and design age signals. Async batch support included.
元数据
常见问题
Website Auditor 是什么?
Audit any website across 8 quality signals to determine if it is outdated, broken, or neglected. Returns a structured audit dict used by the lead-scorer skill. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 413 次。
如何安装 Website Auditor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install website-auditor」即可一键安装,无需额外配置。
Website Auditor 是免费的吗?
是的,Website Auditor 完全免费(开源免费),可自由下载、安装和使用。
Website Auditor 支持哪些平台?
Website Auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Website Auditor?
由 maverick-software(@maverick-software)开发并维护,当前版本 v1.0.0。
推荐 Skills