SEO Analyzer Pro
Security checks across malware telemetry and agentic risk
Overview
The SEO functionality is straightforward, but the skill documentation exposes a hardcoded API key that is not declared or justified by the code.
Do not install this version until the hardcoded API key is removed and rotated. If you do use the SEO analyzer, provide only public webpage URLs and avoid internal or private addresses.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A hardcoded key could expose someone’s account or billing authority, or cause users and agents to rely on an undeclared shared credential.
The skill publishes a credential-like secret in its documentation even though the registry declares no required credentials and the included handler does not use an API key.
- API Key: sk_93c5ff38cc3e6112623d361fffcc5d1eb1b5844eac9c40043b57c0e08f91430e
Remove the exposed key, rotate it if real, and use a declared environment variable or credential manager with clear scope and ownership.
If given an internal or sensitive URL, the skill may request that page from the agent’s environment.
The skill fetches any HTTP(S) URL found in the user input. This is expected for SEO analysis, but it is broad network access without allowlisting or private-network blocking.
url = re.search(r'https?://[^\s]+', input_text) ... resp = requests.get(url, timeout=10)
Use it only with public webpages, or add URL validation that blocks localhost, private IP ranges, and other internal services.