Agent SEO Engine
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: agent-seo-engine Version: 0.1.0 The skill bundle for 'agent-seo-engine' describes a local SEO analysis tool with a focus on privacy and local execution. The SKILL.md file includes explicit safety instructions to avoid exposing secrets or private data and uses standard installation methods via pipx from a public GitHub repository (github.com/davidmosiah/agent-seo-engine). No indicators of malicious intent, data exfiltration, or harmful prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing from the live repository could run code that was not part of this review.
The skill asks the user to install executable code directly from a GitHub repository, and the reviewed artifact set does not include that package code or a pinned commit.
`pipx install "git+https://github.com/davidmosiah/agent-seo-engine.git"`
Review the linked repository before installing, prefer pinned versions or trusted releases when available, and install in a controlled environment.
If the agent is given tokens or local credential files, those credentials could expose connected SEO or provider accounts if mishandled.
The skill acknowledges credential and local token handling surfaces, which are sensitive even though it also says no API keys are required by default.
Do not print OAuth tokens, API keys, service-account JSON, local token files, or private user data.
Use least-privilege accounts, avoid pasting secrets into chat, confirm any requested credential scope, and keep token files out of model-visible output.
Private content or search performance data could be revealed in prompts, logs, or generated output if not scoped carefully.
The SEO workflow may bring private customer content or search-console exports into the agent's working context for analysis.
Treat customer content and GSC exports as private.
Only provide the files needed for the task, redact sensitive content where possible, and use the privacy_audit or dry-run surfaces before broader analysis.
A live provider call or write action could affect connected services or local files if run without user confirmation.
The wording implies the installed tool may support writes or live provider calls, but it also instructs the agent to prefer inspection and dry-run workflows first.
Prefer connection_status, manifest, doctor, privacy_audit, or dry-run surfaces before any write or live provider call.
Require explicit user approval before any write or live provider operation, and run manifest, doctor, privacy_audit, or dry-run checks first.