ClawHub

Yufluentcn Seo Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud SEO helper that sends user-provided product and keyword inputs to Yufluent using a user-supplied API key.

Install only if you are comfortable sending product names, seed keywords, competitor terms, target market details, and related prompts to Yufluent under your TOKENAPI_KEY. Do not point TOKENAPI_BASE_URL at an endpoint you do not trust, and avoid submitting confidential catalog or competitor data unless that fits your data policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tainted flow: 'url' from os.getenv (line 107, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
url = skill_run_url(base_url or os.getenv("TOKENAPI_BASE_URL", ""), skill_id)
    try:
        resp = requests.post(
            url,
            json=payload,
            headers={
Confidence
94% confidence
Finding
resp = requests.post( url, json=payload, headers={ "Authorization": f"Bearer {key}", "Accept": "application/json",

Tainted flow: 'url' from os.getenv (line 107, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
url = agent_outcomes_url(base_url or os.getenv("TOKENAPI_BASE_URL", ""))
    try:
        resp = requests.post(
            url,
            json=payload,
            headers={
Confidence
94% confidence
Finding
resp = requests.post( url, json=payload, headers={ "Authorization": f"Bearer {key}", "Accept": "application/json",

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the skill executes via a cloud Harness service and requires an API key, but it does not clearly warn users that product names, keywords, and competitor terms will be transmitted to an external service. This creates a meaningful privacy and data-governance risk because users may submit commercially sensitive marketplace data without informed consent or knowledge of where it is processed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal