Yufluent Clawhub Publish Yufluentcn Seo Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud client for ecommerce SEO keyword reports; it sends user-provided product and keyword data plus a Yufluent API key to a configured API endpoint.

Install only if you are comfortable sending product, seed keyword, competitor keyword, market, and language details to Yufluent's cloud service. Keep TOKENAPI_KEY private, and do not set TOKENAPI_BASE_URL unless you trust the endpoint that will receive your Bearer token and SEO payload.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tainted flow: 'url' from os.getenv (line 271, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: } if body is not None: kwargs["json"] = body return requests.post(url, **kwargs) def _raise_for_status(resp: requests.Response) -> None:
Confidence: 91% confidence
Finding: return requests.post(url, **kwargs)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script transmits user-supplied product, keyword, competitor keyword, and market data to a remote cloud service via run_skill(), but this file provides no explicit user-facing notice at execution time that the data leaves the local environment. In a business context, such inputs may include sensitive commercial plans or proprietary marketing terms, so silent transmission increases privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal