ClawHub

SEO AGI (Multi-Agent SEO: Research → Gap Analysis → Write → Validate → Ship)

Security checks across malware telemetry and agentic risk

Overview

This SEO skill uses external SEO APIs, optional Search Console data, and local file outputs in ways that fit its advertised purpose, but users should understand the credential and file-writing behavior before installing.

Install only if you are comfortable giving the skill SEO API credentials and optional read-only Search Console access. Prefer a virtual environment for dependencies, review ~/.config/seo-agi/.env permissions, and check ~/Documents/SEO-AGI and ~/.local/share/seo-agi for saved outputs containing sensitive keyword or site data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("\nInstalling dependencies...")
    deps = ["requests"]
    try:
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "--quiet"]
            + deps
            + ["--break-system-packages"],
Confidence
86% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--quiet"] + deps + ["--break-system-packages"], stdout=subprocess.DEVNULL,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("[OK] Core dependencies installed (requests)")
    except subprocess.CalledProcessError:
        try:
            subprocess.check_call(
                [sys.executable, "-m", "pip", "install", "--quiet"] + deps,
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
Confidence
83% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--quiet"] + deps, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs loading credentials from a fixed local config path and environment variables for external services that are not strictly necessary for basic page writing. This increases the risk of unnecessary secret exposure and overbroad credential use, especially if the agent automatically probes local environment state or uses high-value API accounts without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill directs automatic saving of generated pages into fixed user directories, creating an unnecessary side effect for a writing skill. Unprompted file creation can overwrite user expectations, leak sensitive content into predictable locations, and be abused for persistence or clutter without clear notice.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The script accesses external Google Search Console credentials and uses them to query site performance data, a capability not clearly justified by the advertised content-writing purpose. In an agent-skill ecosystem, undisclosed credentialed external access expands the trust boundary and can expose sensitive business intelligence such as query, page, and performance data.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill's setup process installs Python packages by invoking pip, which is a privileged capability relative to the stated purpose of generating SEO pages. In context, this is not obviously malicious, but unnecessary environment modification increases supply-chain and local system integrity risk, especially because the install is performed quietly and may use '--break-system-packages'.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README says the skill auto-triggers on generic SEO content requests such as writing or optimizing pages, which is broad enough to activate during ordinary user conversations without a narrowly scoped opt-in. In an agentic environment, broad trigger conditions can cause unintended execution of research, content generation, API use, and downstream file writes, increasing the chance of unreviewed actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states the skill will save generated pages to ~/Documents/SEO-AGI/pages/ as part of normal operation, but the surrounding flow does not clearly require explicit consent immediately before file creation. Silent or assumed file writes are risky in agent systems because they can leave persistent artifacts, overwrite expectations about where outputs go, and combine with broad auto-triggering to create unintended local side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs saving generated or rewritten pages to local directories without any user-facing warning or consent. Silent local writes are dangerous because they create persistent side effects on the host system and can expose content, surprise the user, or be chained with other capabilities to store data outside the conversation context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is designed to send user-provided keywords, site information, and potentially Search Console data to external services, but the specification does not mention user notice, consent, or data-sharing boundaries. In a content-generation workflow, this can expose sensitive business data such as target pages, site performance, and query intelligence to third parties without the user's informed approval.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script always persists research output to disk via save_research() before printing results, with no opt-in, prompt, or clear warning that potentially sensitive query terms, SERP data, and derived analysis will be stored locally. This creates a privacy and data-retention risk, especially in agent contexts where users may expect ephemeral processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script collects DataForSEO credentials and a service account path, then writes them to a local .env file in plaintext without warning the user about storage, permissions, or exposure risks. This can lead to credential disclosure through local compromise, backups, accidental sharing, or permissive file permissions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal