ClawHub
Back to skill
v1.0.1

Seo Keyword Pro

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

No destructive behavior is shown, but the tool appears to present randomly simulated SEO and ranking data as a paid AI keyword product, so it should be reviewed before relying on it.

GuidanceBefore installing or paying for this skill, understand that the supplied implementation appears to generate SEO metrics, rankings, and competitor data synthetically. Use it only as a demo or brainstorming aid unless the maintainer documents real data sources and credential requirements.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
index.js
const current = Math.floor(Math.random() * 50) + 1;
const previous = current + Math.floor(Math.random() * 10) - 5;

These random values are returned from the rank-tracking flow, while the skill is marketed as keyword research, rank tracking, and competitor analysis; nearby code also labels keyword and competitor data as simulated.

User impactA user or agent could treat fabricated-looking SEO metrics as real search rankings or competitor intelligence and make business decisions based on unreliable data.
RecommendationTreat outputs as mock estimates unless the author clearly discloses the synthetic nature and provides a real, verifiable SEO data source before use or payment.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown

The registry metadata does not identify a verified source for the package, which is a provenance gap even though the supplied package has no dependencies or install script.

User impactThere is less assurance that the published package matches a reviewed upstream source.
RecommendationInstall only from a trusted registry entry or verified repository, and prefer pinned versions where possible.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
index.js
this.apiKey = options.apiKey || process.env.SEO_API_KEY;

The skill can read an API key from options or the local environment even though the registry declares no required credentials or environment variables.

User impactYou may provide or expose an API key that the install metadata did not clearly declare, although the provided code does not show it being used, logged, or sent elsewhere.
RecommendationOnly provide a dedicated low-privilege key if needed, and ask the maintainer to declare SEO_API_KEY in metadata or remove the unused credential handling.