ClawHub

Seo Autopilot

v1.0.0

Run local SEO autopilot for boll-koll.se or hyresbyte.se and return PR link plus summary.

1· 2.4k·16 current·18 all-time
by@adamhjort
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included script's intent: run an SEO tool for two allowlisted sites and return a PR link. However, the skill depends on an external 'seo-autopilot' CLI binary that is not declared in requirements or an install spec. Requiring a host-provided binary without documenting it is disproportionate and unclear.
!
Instruction Scope
SKILL.md explicitly restricts actions to running scripts/run.sh <site> and to the two allowlisted sites, which is good. But SKILL.md also says the agent should include the top 3 findings from SEO_REPORT.md if it exists — there is no code that reads that file, and the allowed-tools list includes exec which could be used to read arbitrary files if the agent deviates. The script itself only runs an external program and echoes its output; the agent would need to run extra commands to implement the SEO_REPORT.md behavior, which is an inconsistency.
!
Install Mechanism
There is no install spec. The provided script calls an external 'seo-autopilot' program (seo-autopilot "$SITE") which is neither provided nor installed by the skill. This reliance on an undeclared binary is a high-risk omission: the execution will succeed only if a binary named 'seo-autopilot' exists on PATH (which could be benign or attacker-controlled).
Credentials
The skill requests no environment variables, no credentials, and no config paths — these are proportionate to the stated task.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. It does allow exec (normal for instruction-only skills).
What to consider before installing
Do not install or run this skill until you verify the origin and contents of the 'seo-autopilot' program it calls. Ask the author: (1) where does the 'seo-autopilot' binary come from (official repo/release URL and version)? (2) provide an install spec or include source code and a reproducible build, plus checksums/signature for any binaries. If you must test it, run inside a tightly sandboxed environment (isolated container) and inspect what the 'seo-autopilot' binary does (network endpoints, file accesses). Also clarify how SEO_REPORT.md is supposed to be read (the script does not read it) and restrict exec permissions so the agent cannot run arbitrary commands beyond scripts/run.sh.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vargn23065venk1tszxvan80pext

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments