ClawHub

SEO GEO for SaaS

Security checks across malware telemetry and agentic risk

Overview

This is a coherent SaaS SEO planning skill, but it needs careful handling of API credentials and generated project files.

Install only if you want an agent to help manage SaaS SEO strategy and content files in your project. Keep Google and DataForSEO secrets in environment variables or a secrets manager, do not paste them into chat or commit them, monitor paid API usage, and review generated `seo/` file changes before publishing or committing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is very broad and includes common phrases such as "blog post," "write an article," and "content strategy," which can cause the skill to activate in situations beyond the user's intended scope. Over-broad activation increases the chance the agent will invoke file-writing workflows or credential-dependent behavior unexpectedly, creating avoidable security and safety risk through mis-scoping rather than direct exploitation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states it will create and update multiple files inside the user's project, but it does not require explicit consent or warn the user before modifying local project data. In an agent setting, this can lead to unintended workspace changes, overwriting curated content, or persistence of potentially sensitive business information without the user's informed approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill declares dependencies on sensitive credentials including Google and DataForSEO secrets, yet provides no guidance on secure handling, storage, redaction, or privacy boundaries. This is dangerous because users may be prompted to expose secrets in insecure ways, and the skill may access third-party data tied to search analytics and business intelligence without clear disclosure of data flow or retention expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to configure DataForSEO API credentials as environment variables, but gives no warning about secure handling, scoping, redaction, or the risk of pasting secrets into chat or project files. In an agent-driven workflow, ambiguous credential setup guidance can lead users to expose secrets in conversation, commit them to source control, or make them available too broadly to unrelated tools.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal