Seo Keyword Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The visible code does not show data theft or system damage, but it appears to generate simulated SEO and ranking data while presenting itself as a real AI keyword and rank-tracking tool.
Review this skill carefully before installing or paying for it. The visible code looks more like a simulated/demo SEO tool than a real keyword data service, so do not rely on its metrics for business decisions without external validation, and avoid entering real API keys unless the provider and purpose are clearly documented.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could make content, marketing, or paid-service decisions based on random estimates that are presented like real SEO intelligence.
The implementation visibly simulates keyword metrics and ranking positions, while the skill description and README market the tool as AI-powered keyword research with rank tracking and competitor analysis. This mismatch can cause users or agents to trust fabricated SEO data.
// Simulate keyword metrics ... const current = Math.floor(Math.random() * 50) + 1;
Treat the outputs as demo or synthetic data unless the maintainer clearly labels them as simulated or documents a real data source/API integration. Validate any SEO decisions with an independent tool.
A user may provide a sensitive API key without a clearly identified provider, scope, or need.
The code accepts or reads an API key even though the registry declares no required credentials or environment variables. The provided artifacts do not show the key being transmitted, so this is an under-disclosed credential-handling note rather than evidence of exfiltration.
this.apiKey = options.apiKey || process.env.SEO_API_KEY;
Do not provide real API keys unless the skill documents the provider and scope. The maintainer should declare the credential in metadata or remove the unused API key handling.