ClawHub

Emergence SEO GEO

Security checks across malware telemetry and agentic risk

Overview

This is a coherent SEO/GEO audit skill that performs expected website crawling and optional search-index checks, with some privacy and TLS caveats users should understand.

Install only if you are comfortable running a local audit script that makes outbound requests. Use --e2e only for domains and prompts that can be shared with search providers, and treat results from sites with broken TLS cautiously because the script may retry without certificate verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to run a local Python script and optionally invoke external search tooling, which implies shell execution and outbound network access, yet no permissions are declared. This mismatch is dangerous because a user or runtime may treat the skill as low-privilege documentation while it actually drives code execution and external connectivity, increasing the chance of unintended command execution, data egress, or unsafe tool use.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The README explicitly advertises live search-engine indexation checks using external services and local CLIs, but it does not warn users that running the tool may transmit target domains, prompts, or other audit-related data to third-party providers. In a security-sensitive or confidential assessment context, this can cause unintended data disclosure and surprise outbound network activity, especially because users may copy-paste example commands directly from the documentation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs outbound requests to arbitrary target URLs and can optionally query multiple third-party search providers, but it provides only minimal user-facing disclosure about what data will be sent externally. In a skill context, this can expose sensitive internal URLs, prompts, or reconnaissance targets to outside services without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal