Blog Writing
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The blog-writing workflow is coherent, but it asks the agent to run a full-security subagent and shell commands specifically to avoid exec approval gates.
Install only if you are comfortable granting broad local execution rights for this workflow. Before use, review the referenced seo-geo-qa scripts and consider removing the `security: "full"` requirement so QA and link-check commands remain explicit and user-approved.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run local commands with broad permissions while preparing a blog post, rather than asking for narrow approval for each QA or link-check command.
The skill requires shell execution and full exec permissions for a writing workflow, which creates broad tool authority beyond normal document drafting.
This skill requires running shell commands ... It must be executed in a context with full exec permissions.
Use only in a trusted workspace, and prefer a revised version that limits execution to specific reviewed commands and keeps normal approval gates enabled.
Installing the skill may encourage the agent to bypass normal permission boundaries for a task that should usually be reviewable and low-risk.
The artifact explicitly instructs the agent to grant a subagent full security privileges because approval gates would otherwise block execution.
Always spawn the writing subagent with `security: "full"` ... REQUIRED — without this, exec approval gates block Phase 5 & 6
Do not grant `security: "full"` automatically; require user confirmation and scope any subagent permissions to the specific files and commands needed.
The actual behavior depends on separate code that is not included in this review, so the user cannot verify from these artifacts what the QA runner will do.
The skill depends on executable scripts from another skill path, but this artifact set contains only SKILL.md and no install spec declaring or pinning that dependency.
python3 skills/seo-geo-qa/scripts/seo_qa_runner.py path/to/draft.md --keyword "best email apps for mac"
Review and pin the referenced seo-geo-qa skill/scripts before allowing this skill to run them, especially with full exec permissions.