ClawHub

SEO DataForSEO

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent DataForSEO SEO research helper that uses expected API credentials, sends SEO queries to DataForSEO, and saves results locally as documented.

Install only if you are comfortable using a DataForSEO account for these lookups. Keep the .env file out of source control, expect API requests to consume quota or incur charges, and delete or protect the local results/ files if they contain client, competitor, or strategy-sensitive research.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents capabilities that require environment access, local file reads/writes, and outbound network access, but it does not declare permissions or provide any explicit user-facing notice about those behaviors. This can lead to overly broad or opaque execution where users are unaware that the skill will access secrets, persist data locally, and transmit queries to a third-party API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that all research results are automatically saved as timestamped JSON files, but it does not warn users about local persistence, retention, or the possibility of sensitive research topics being stored on disk. This creates a privacy and data-handling risk, especially in shared environments or when research terms reveal business strategy or client information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell users to place API credentials in a .env file but omit basic secret-handling guidance such as excluding the file from version control, restricting access, and avoiding accidental disclosure. While using a .env file is common, presenting it without safeguards increases the chance of credential leakage through commits, backups, or shared workspaces.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The functions send user-supplied keywords, domains, and locale selections to a third-party API, but the code provides no user-facing disclosure or consent mechanism. In an SEO research skill this data flow is expected for functionality, yet it still creates a real privacy risk because user queries, competitor domains, or sensitive business research terms may be transmitted off-system without explicit notice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Results are persisted by default via save_result(..., save=True), which can store user queries and returned analysis output without an explicit warning. In this SEO context, saved data may include commercially sensitive keyword strategy, competitor intelligence, or client research, increasing confidentiality and retention risks if storage is later accessed or mishandled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code sends user-supplied search keywords plus location/language targeting data to a third-party API and, by default, persists the returned result locally via save_result. In an SEO skill this behavior is expected, but it still creates a real privacy/data-handling risk because potentially sensitive user queries can be disclosed to an external service and retained without any consent check, minimization, or warning in this code path.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This function transmits user-supplied keywords and location context to the external DataForSEO service and, by default, persists the returned data locally via save_result(). In an SEO skill this network use is expected, but the lack of explicit disclosure/consent and the default-on local persistence can expose sensitive research terms, client campaign data, or proprietary market analysis if users assume processing is local-only.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The trending-now function sends location data to an external API and may save the resulting dataset locally without explicit notice in the function. Although the data involved is less sensitive than arbitrary keyword queries, location information can still reveal user or customer targeting preferences, and silent persistence increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal