v1.0.1

geo_skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:39 AM.

Analysis

This is mostly a disclosed GEO API workflow, but it can publish generated articles by default without a separate content-review confirmation.

GuidanceBefore installing, confirm you trust the GEO API provider, use a dedicated API key, and set article review to required so no generated content is published until you have read and approved it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

“生成的文章是否需要您先审核再发布？（默认不需要审核，直接发布）” and “审核通过（自动创建发稿任务）”

The artifact states that generated articles can be directly published by default and that approval automatically creates a publishing task.

User impactGenerated brand review content could be sent into a publishing workflow without the user first reviewing the exact article text and explicitly approving publication.

RecommendationRequire review by default, show the final article and publication destination, and ask for explicit confirmation before creating any publish task.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

“用户必须提供自己的 GEO API Key” and “将 key 保存到 `~/.openclaw/geo-api-key`”

The skill uses and locally persists a bearer-style service credential. This is expected for the GEO API, but it is sensitive authority.

User impactAnyone or anything that can read the saved file may be able to use the user's GEO service access, including actions supported by that key.

RecommendationUse a dedicated/revocable GEO key, protect the local key file permissions, delete the file when no longer needed, and ensure the registry metadata declares the credential/config requirement.