ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mad SEO Manager

v3.1.4

Autonomously audits sites, plans content calendars, generates SEO-optimized articles, and analyzes Google data for targeted performance improvements.

0· 35·0 current·0 all-time
by@mazgalesc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (autonomous SEO audits, content planning, GSC/GA4 analysis) align with the code and reference docs. The skill delegates Google API and high-fidelity scraping work to other skills (api-gateway, scrapling-official), which is a reasonable design choice. Minor metadata inconsistency: initial metadata said 'Homepage: none' but skill.json lists a homepage/repository — verify origin before trusting.
!
Instruction Scope
SKILL.md and index.js instruct the agent to: perform site-wide crawls, use 'challenge resolution' for resilient scraping, and write persistent files (CALENDAR.md, MASTER_AUDIT.md). Critically, the code/guide mandate inserting first‑hand 'Experience' wording ("I tested...", "Our findings...") into drafts—this encourages fabricated personal-experience statements. The plan_content implementation also contains a coding bug (uses undefined postsPerWeek) which may break behavior. These instructions expand the agent's scope beyond benign content drafting into potentially abusive scraping and possible fabrication of credentials/experience.
Install Mechanism
No install spec; skill is instruction/code-only and pre-loads local reference files. No external downloads or archive extraction. This lowers supply-chain risk. The skill does, however, require other skills to be present to unlock autonomous features (which is an architectural decision, not an installer risk).
Credentials
The skill itself requests no environment variables or credentials (consistent with the shipped files). However, it relies on other skills (api-gateway for Google, scrapling-official for rendering) to access external data — installing or enabling those will require Google/GSC/GA4 creds and scraping infrastructure. That means granting broader access if you enable the full autonomous features; the skill does not itself justify or request any unrelated secrets, but orchestration could lead to high-privilege operations.
Persistence & Privilege
No 'always: true' or other elevated platform privileges. The skill writes/requests the agent write workspace files (CALENDAR.md, MASTER_AUDIT.md) — expected for a content manager. It does not modify other skills' configs in the provided code.
What to consider before installing
This skill mostly does what it says (content planning, drafting, audits) but has two red flags: 1) it explicitly instructs the agent to include first‑hand experience statements ('I tested...', 'Our findings...'), which can lead to fabricated claims — do not publish any unverified first‑hand claims produced by the skill; require human verification. 2) it advocates resilient scraping and 'challenge resolution' via the scrapling skill — only enable that after confirming you own the target sites and you've reviewed legal/ToS/robots.txt constraints. Before enabling autonomous features, verify the provenance of the skill (check the repository/homepage), inspect or run the code in a sandbox, fix or test the visible bug (undefined postsPerWeek in plan_content), and only connect api-gateway or scraping skills if you trust their implementations and the credentials you provide. If you need purely editorial assistance without scraping or automated audits, use only the drafting/research components and avoid installing the external connector skills.
!
index.js:11
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a9k1vm69snje4sn8r1mr1bx84rpx8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments