Manage SEO and GEO content updates in Webflow by prioritizing with GSC, drafting content, creating patch JSONs, updating CMS via API, optimizing images and S...
Security Analysis
medium confidenceThe skill's instructions match its stated purpose (updating Webflow content) but contain mismatches with the declared manifest (it uses a WEBFLOW_API_TOKEN and local file paths while the registry lists no required env vars or config paths), so install only after clarifying these gaps.
Name/description describe Webflow SEO/GEO updates and the SKILL.md shows the agent will call the Webflow API and edit CMS items — that aligns. However, the SKILL.md explicitly expects a WEBFLOW_API_TOKEN and local folders (/webflow_items/, /out/) whereas the registry metadata lists no required environment variables or required config paths. The missing declarations are an incoherence.
Runtime instructions are concrete (create/patch/publish via api.webflow.com, build JSON patches, set image alt/meta, check sitemap/robots). They also instruct the agent to read local documents (SEO plan, daily log, /webflow_items/) and write to /out/. Those file accesses are plausible for this skill but are not declared in the manifest and could expose arbitrary local content if the agent is granted filesystem access.
Instruction-only skill with no install spec and no code files — minimal install risk (nothing is downloaded or written by an installer).
SKILL.md requires a Webflow API token (Bearer $WEBFLOW_API_TOKEN) but the registry 'required env vars' lists none and 'primary credential' is none. This mismatch means the skill may silently expect a secret that the manifest doesn't declare. Also it assumes read/write access to local project folders which are not declared as required config paths.
The skill does not request always:true and has no install-time persistence. It can be invoked autonomously (platform default), which is normal. There is no evidence it modifies other skills or system-wide settings.
Guidance
Before installing or enabling this skill, clarify the following with the publisher: (1) Confirm which environment variable(s) are required — at minimum WEBFLOW_API_TOKEN — and how they must be provided and scoped; (2) Confirm which local paths the skill will read/write (e.g., /webflow_items/, /out/) and whether it will attempt to read any other files or directories; (3) Confirm network endpoints the skill will call (it should be only api.webflow.com and no third-party/personal servers); (4) Ask whether the skill will ever transmit non‑Webflow data offsite (logs, local docs, or secrets); (5) Require least privilege for the Webflow token (only CMS write/publish scopes) and avoid using broad or root-level credentials. If the publisher cannot provide clear answers or refuses to declare required env/config in the manifest, treat the skill as high risk and avoid installing or run it only in a tightly sandboxed environment with limited credentials. If you proceed, supply a dedicated Webflow API token with minimal scope and review all generated PATCH JSONs and API requests before they are sent.
Latest Release
v1.0.0
Webflow SEO/GEO v1.0.0 - Initial release of a comprehensive workflow for SEO and location-based content updates in Webflow. - Defines step-by-step instructions for prioritizing, drafting, patching, and publishing content via Webflow API. - Includes technical SEO best practices for canonical domains, sitemaps, redirects, and image/meta optimization. - Provides guidelines for copywriting, local page optimization, internal linking, and FAQ sections. - Offers quick references for API usage, content structuring, and workflow tools.
More by @jchopard69
Published by @jchopard69 on ClawHub
