ClawHub

SEO Outreach Workflow

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent instruction-only SEO outreach workflow focused on research and manual-send drafts, with disclosed optional Sheets/Search access and a small caution around tracker updates.

This skill appears reasonable to install if you want SEO outreach research and draft preparation. Before using it, decide whether it may touch a live Google Sheet or only CSV exports, keep API keys scoped, review any tracker updates, and manually review drafts for quality, privacy, and anti-spam compliance before sending.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

A connected campaign spreadsheet could have rows marked processed during batch work.

Why it was flagged

This shows the skill may make state-changing updates to a live opportunity tracker rather than only reading outreach data.

Skill content
If a tracker is explicitly configured, filter to rows where `Status = pending`. Update `Status` to `processed` after each row completes.
Recommendation

Use pasted CSV or read-only exports unless you intentionally want live tracker updates, and confirm which sheet and rows may be changed.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Providing these values lets the agent access outreach targets and use search API quota, though the artifacts do not require inbox or sending credentials.

Why it was flagged

The skill discloses optional use of external account/API access for Sheets and search, and it limits mail credentials out of scope for the core workflow.

Skill content
`GOOGLE_SHEETS_TRACKER_URL`: optional source for opportunity rows; prefer read-only or exported CSV
- `SERPAPI_API_KEY`: recommended for article discovery and search-driven contact research
- no mail credentials are required for research and draft generation
Recommendation

Provide only the minimum needed credentials, prefer read-only sheet access or CSV exports, and do not give Gmail/inbox access to this skill unless using a separately approved sender or reply-monitoring workflow.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users may be confused about what credentials or binaries are actually needed before use.

Why it was flagged

The registry metadata says there are no required env vars or binaries and no install spec, while the skill frontmatter lists requirements. This is a setup-contract inconsistency, not evidence of hidden code.

Skill content
primaryEnv: SERPAPI_API_KEY
  requires:
    env:
      - SERPAPI_API_KEY
      - GOOGLE_SHEETS_TRACKER_URL
    bins:
      - python3
Recommendation

Treat SerpAPI and Google Sheets access as optional unless the workflow stage requires them, and verify the skill source/repository if relying on its setup documentation.