ClawHub

Seo Blog Writer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a promotional SEO-writing prompt package that overstates included capabilities and directs users to paid off-platform upgrades, but it does not contain executable code or obvious data-stealing behavior.

Review this carefully before installing. It can likely help draft SEO-oriented text, but do not assume it includes the advertised scripts, bulk processor, keyword tooling, or publishing workflow. Treat outputs as drafts, fact-check and review before publishing, and be cautious with the PayPal, Telegram, and crypto payment instructions for the paid upgrade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest and top-level description advertise concrete capabilities such as Python-based SEO workflow automation, publishing, and bulk processing, but the file only contains promotional copy, examples, and payment instructions. This is dangerous because users and downstream agents may rely on nonexistent functionality, causing unsafe automation assumptions, unexpected external purchases, or workflow misuse based on deceptive capability claims.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The content promises a complete SEO workflow, bulk processing, and included Python scripts, but the provided material does not implement or expose those functions. In an agent ecosystem, overstated capabilities can mislead users into delegating publishing or batch-content tasks to a skill that cannot safely perform them, increasing the risk of faulty outputs and unintended decisions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is loosely phrased as generic prompts to ask the agent, without defining when this skill should activate, what inputs are expected, or what boundaries apply. Ambiguous triggering can cause accidental invocation in unrelated contexts, unpredictable agent behavior, and confusion about whether the skill is performing content generation, SEO advice, or commercial upselling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises a workflow that includes publishing but does not warn that generated content should be reviewed and approved by a human before publication. In content automation contexts, this can lead to inaccurate, plagiarized, policy-violating, or brand-damaging material being published without editorial control.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal