Seo Geo Qa
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for SEO article QA, with disclosed web fetching/proxy use and local report files but no artifact-backed malicious behavior.
Before installing, make sure you are comfortable with the skill contacting DuckDuckGo, Jina, article links, and competitor URLs, and with local markdown/JSON QA reports being created. Use `--no-jina` when proxy rendering is not acceptable, and avoid running checks on private or embargoed URLs unless that exposure is intended.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not run as expected unless Python, curl, and network access are available.
These runtime requirements are disclosed in the skill instructions, but the registry metadata declares no required binaries or install spec, so users need to read the skill file to understand the actual environment needs.
- **Python 3.10+** ... - `curl` available in PATH ... - **Network access to `r.jina.ai`**
Treat Python, curl, and r.jina.ai access as explicit requirements, and prefer registry metadata that declares them clearly.
Running SERP checks can contact third-party and competitor sites through Jina, which may have privacy, policy, or terms-of-service implications.
The skill performs automated web fetching through an external renderer/proxy, including anti-bot bypass for SERP and competitor-page analysis. This is disclosed and purpose-aligned, but it is a capability users should notice.
falls back to Jina Reader (`r.jina.ai`) which renders the page with a real browser ... Competitor pages are always fetched via Jina first (bypasses Cloudflare)
Use the documented `--no-jina` option when proxy rendering is not acceptable, and avoid using private or embargoed URLs with proxy-based checks.
Keywords, public page URLs, competitor URLs, and link-check targets may be visible to external services or destination sites.
The code sends search keywords and target URLs to external services. It does not show credential use or draft-content upload, but the data boundary includes DuckDuckGo, Jina, and fetched websites.
JINA_BASE = "https://r.jina.ai/" ... search_url = f"https://html.duckduckgo.com/html/?q={quote(query)}"Do not run this on sensitive unpublished URLs unless that network exposure is acceptable; disable Jina where possible for stricter privacy.
QA results may remain on disk and could be committed, shared, or reused by later automation if not managed.
The skill creates persistent local reports that can contain article metadata, link findings, source-quality judgments, and verdicts for later reuse.
The runner writes timestamped markdown + JSON reports by default ... saves to `qa-reports/<article-slug>/` next to the article ... Use the JSON report for automation or later aggregation.
Store reports only where appropriate, avoid committing sensitive draft QA reports, and clean old reports when they are no longer needed.