Seo Autopilot
Security checks across malware telemetry and agentic risk
Overview
The skill is narrowly scoped to run an SEO wrapper for two allowed sites, but it depends on a local `seo-autopilot` executable that is not included or declared as an install requirement.
Before installing, make sure you know and trust the `seo-autopilot` executable on your PATH and that it is meant to operate only on boll-koll.se or hyresbyte.se. If that executable opens pull requests, confirm which repository and account it will use.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent may run the included local shell script on the user's machine.
The skill grants local command execution, but the instructions constrain it to a specific wrapper command and allowlisted sites, which is purpose-aligned.
allowed-tools: - exec ... Never run arbitrary commands. Only run: - scripts/run.sh <site>
Install only if you expect the agent to run this local SEO command, and keep the command and site allowlist narrow.
The actual SEO actions and any PR creation depend on whatever `seo-autopilot` program is installed locally.
The reviewed package delegates its core behavior to a `seo-autopilot` executable resolved from the local environment, while the package provides no install spec or required-binary declaration for that executable.
OUT="$(seo-autopilot "$SITE" 2>&1 || true)"
Verify that the local `seo-autopilot` executable is trusted and intended for these sites; the skill metadata should declare this dependency and its provenance.