ClawHub

Wordpress Seo Autopilot

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate WordPress SEO skill, but it may change a live site and use SEO service credentials without clear enough safeguards.

Install only if you are comfortable granting an agent access to your WordPress/SEO tooling. Use a staging site first, back up content, prefer least-privilege credentials, and require explicit approval before any live-site edits, bulk metadata updates, schema changes, or internal-link modifications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-start examples encourage actions like auditing, optimizing meta tags, creating schema, and implementing internal links on a live WordPress site, but they do not clearly distinguish read-only analysis from write operations. In an agent setting, ambiguous prompts can cause users to trigger bulk site modifications without understanding that content may be changed automatically, increasing risk of unintended production impact.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill promotes direct integration with WordPress, RankMath, Google Search Console, and other external SEO tools while later documenting credentials and API keys, but it does not prominently warn that site content, metadata, analytics, or search performance data may be transmitted to third parties. This can lead users to expose sensitive operational data or overprovision credentials without informed consent or data-handling awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal