ClawHub

Lesishu SEO Guide

Security checks across malware telemetry and agentic risk

Overview

This is mostly an SEO guide with a local PDF helper, but its metadata claims unrelated wallet, purchase, crypto, and sensitive-credential capabilities.

Review the capability labels before installing: an SEO guide should not need wallet, crypto, purchase, or sensitive-credential authority. If installed, keep PDF generation user-initiated, install dependencies from trusted sources, and apply outreach guidance only to lawful, business-appropriate contacts with consent, opt-out handling, and anti-spam/privacy compliance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The embedded summary at the end of the document states that event markup may use a physical or virtual location and references attendance modes, while the main body explicitly says virtual-only experiences aren't supported and events must take place in a physical location. In an SEO skill, this inconsistency can mislead the agent or user into generating invalid schema markup, causing incorrect implementation, rich result eligibility loss, or spammy structured markup issues.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This content gives operational guidance for scaled outreach, including programmatic email discovery and validation, but does not include any guardrails around consent, lawful basis for contact, anti-spam rules, or privacy handling. In an agent skill, that omission can enable users to automate unsolicited contact campaigns and collection of personal/business contact data in ways that violate policy or regulation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger guidance includes very broad phrases such as user mentions of "关键词研究/外链建设的具体方法," which can plausibly appear in ordinary SEO discussion and cause this reference material to be pulled in when not actually needed. Over-broad activation is a real security/quality issue because it expands the skill’s execution surface and can introduce unintended instructions or context into unrelated conversations.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The lesson explicitly recommends programmatically finding and validating email addresses and then using them for outreach at scale, but it provides no guidance on consent, lawful basis, regional anti-spam/privacy rules, or internal policy constraints. In an SEO/link-building skill, this creates a realistic risk of enabling unsolicited contact campaigns that may violate regulations or organizational standards, even if the instructional intent is business/marketing rather than malicious.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal