ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GEO Optimization

v1.1.0

Generative Engine Optimization (GEO) for AI search visibility. Optimize content to appear in ChatGPT, Perplexity, Claude, and Google AI Overviews. Use when optimizing websites, pages, or content for LLM discoverability and citation.

8· 3.4k·6 current·6 all-time
bycaptmarbles@capt-marbles
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md is a content-focused GEO audit and templates (no mention of API calls), yet the package contains three executable scripts (geo-monitor.py, geo-daily-report.py, geo-daily-monitor.sh). Those scripts imply automation/monitoring and likely make network requests or require API keys; the skill declares no required env vars, binaries, or install steps, which is disproportionate to the presence of automation code.
Instruction Scope
The SKILL.md instructions themselves are narrowly scoped to writing content and performing audits (no instructions to read local config or exfiltrate data). However, the presence of monitoring/reporting scripts expands the runtime surface in ways not described by SKILL.md — the instructions do not document when/how those scripts run or what data they access.
Install Mechanism
There is no install spec (instruction-only), so nothing will be auto-downloaded by the registry. That reduces risk, but the provided scripts will run only if the agent or user executes them. The lack of declared dependencies for the Python and shell scripts is a documentation gap.
!
Credentials
No required environment variables or primary credential are declared, yet monitoring scripts commonly require API keys (OpenAI, search engines, or scraping proxies). The absence of declared credentials is inconsistent with the code presence and creates uncertainty about where sensitive keys would be needed or stored.
Persistence & Privilege
The skill does not request persistent/always-on inclusion and does not set disableModelInvocation flags; defaults allow model invocation but the skill is not force-included. There is no declared elevated system privilege or config-path access.
What to consider before installing
Before installing: inspect the three scripts (geo-monitor.py, geo-daily-report.py, geo-daily-monitor.sh). Look for network endpoints, hardcoded API keys, or subprocess calls; confirm whether they call LLM/search APIs and which credentials they expect. Ask the publisher for a homepage or source repository and a README explaining dependencies and required env vars. If you must run them, do so in a sandboxed environment and avoid supplying production API keys until you verify exactly what data they send and to whom. If you cannot review the scripts, treat the skill as higher-risk and avoid granting credentials. Additional helpful info from the author: exact runtime steps, dependency list, example config with non-sensitive values, and a clear privacy notice describing any telemetry or external queries.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769x806bmsyrg6xgpawaccys80090s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments