SEO Article Generator
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: seo-article-generator Version: 1.0.0 The skill attempts to read sensitive configuration data directly from the filesystem at '/home/admin/.openclaw/openclaw.json' to extract API keys, which is a bypass of standard environment variable practices. Additionally, it hardcodes a Punycode domain (xn--ehqw44a690c.com) for affiliate links and sitemap generation in 'generate.js', which could be used for traffic redirection or SEO spamming. While these behaviors are risky and involve unauthorized file access, they appear aligned with the stated (albeit aggressive) purpose of an automated SEO generator rather than clear malware.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated pages may promote and point search engines at a domain the user did not choose.
The code hard-codes a specific external domain for the affiliate ad and sitemap URLs, while the skill is presented as generating content for the user's website and services.
href="https://www.xn--ehqw44a690c.com/ai-photo" ... const url = `https://www.xn--ehqw44a690c.com/article/${filename}`;Make the site URL and affiliate links explicit, configurable, and disabled until the user approves them; review generated pages and sitemap entries before publication.
The skill could consume API quota and create website-facing SEO pages or sitemap entries without the user reviewing each article first.
The instructions describe recurring content generation and sitemap mutation, but do not describe user approval, limits, review workflow, or rollback controls.
The skill automatically generates one SEO article per hour ... Auto-registration in sitemap.xml
Require explicit user invocation or approval for each generated article and sitemap update, and provide clear configuration for output paths, frequency, and rollback.
Installing or running the skill may use the user's stored DeepSeek/OpenAI-compatible API credential and consume paid API quota.
The code reads a DeepSeek API key from the environment or local OpenClaw config. This is expected for the stated DeepSeek generation purpose, but it is not declared in the requirements.
process.env.DEEPSEEK_API_KEY ... fs.readFileSync('/home/admin/.openclaw/openclaw.json', 'utf8') ... providers?.deepseek?.apiKeyDeclare the credential and config path requirements clearly, and let the user choose which provider key may be used.
Users have less ability to verify the author's intent, update history, or maintenance practices.
The artifact provides no verifiable source repository or homepage, which limits provenance review even though the included code is visible.
Source: unknown; Homepage: none
Prefer skills with a verifiable source repository/homepage, or manually review the included files before installing.