ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEO + GEO Content Engine

v1.0.4

Use when the user wants to write an SEO article, generate a blog post, create content for a keyword, run the full SEO pipeline, or check available keywords....

1· 280·1 current·1 all-time
byTim@geo-seo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and docs describe a keyword→SERP→article pipeline and the declared runtime needs (SERPAPI_API_KEY, GOOGLE_SHEETS_TRACKER_URL, optional python3) are appropriate for that functionality. However, the package-level registry metadata at the top (which lists 'Required env vars: none') conflicts with the SKILL.md and manifest that reference SERPAPI_API_KEY and GOOGLE_SHEETS_TRACKER_URL. That mismatch is unexpected and reduces trust in the packaging/metadata.
Instruction Scope
SKILL.md outlines a 5-step pipeline and explicitly limits actions to using an approved SERP API or a provided spreadsheet/CSV/pasted SERP snapshot. It instructs not to crawl/search without an approved API or user export and does not instruct reading unrelated system files or secrets. The workflow appears scoped to SEO research and content generation.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes disk/write/remote-install risk; runtime behavior depends on the agent executing the SKILL.md instructions.
!
Credentials
The environment variables referenced in SKILL.md (SERPAPI_API_KEY, GOOGLE_SHEETS_TRACKER_URL) are reasonable for live SERP retrieval and a keyword tracker. However, there are multiple inconsistencies across files: the top-level registry metadata reported 'none' for required envs, SKILL.md marks them as required and sets SERPAPI_API_KEY as primaryEnv, and manifest.json lists them as optional_env_vars. This ambiguity could lead to unexpected credential use. Also, exposing a GOOGLE_SHEETS_TRACKER_URL (even read-only) can reveal private tracker contents if a user supplies a private sheet.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not include install scripts, and does not modify other skills or system configuration. Autonomous invocation is allowed (platform default) but not a unique risk here.
What to consider before installing
This skill appears to implement a legitimate SEO/GEO pipeline, but there are several packaging/metadata mismatches you should clear up before installing: 1) Confirm whether SERPAPI_API_KEY and GOOGLE_SHEETS_TRACKER_URL are truly required or optional (SKILL.md says required, manifest calls them optional, registry summary said none). 2) Don't provide a private Google Sheets URL unless you trust the skill author — prefer a read-only/public tracker or paste CSV exports. 3) If you supply SERPAPI_API_KEY, ensure the key has appropriate limits and is revocable; consider using an account with minimal quota. 4) The repository/license metadata is inconsistent (README shows MIT badge while manifest lists Apache-2.0) and the published source/owner identity is not clearly verifiable — prefer skills with a known GitHub org or author. 5) If you still want to try it, run it in a restricted/test environment, monitor requests (to ensure it uses the declared APIs only), and avoid giving access to production secrets until you verify behavior. If possible, ask the publisher to correct the manifest/registry metadata so required vs optional env vars and the license are explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c5805ps4c69cwx7pytcf79582mvsw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments