SEO Article Pipeline
Security checks across malware telemetry and agentic risk
Overview
The skill is a coherent SEO article workflow, but it uses provider credentials, external research calls, a local shell helper, and blog output paths that users should review.
Before installing, confirm you are comfortable giving the skill DataForSEO credentials and sending researched keywords to DataForSEO and Google Suggest. Configure blog output paths carefully, keep credentials out of the repository, and review all generated article/image files before publishing.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your DataForSEO account credentials and quota may be used when researching keywords.
The skill requires account credentials for DataForSEO keyword research. This is disclosed and purpose-aligned, but it still grants access to a paid/provider account.
Requires `DATAFORSEO_LOGIN` and `DATAFORSEO_PASSWORD` env vars.
Use dedicated DataForSEO credentials if possible, keep them out of source control, and monitor provider usage.
Keywords you research are shared with external providers; unusual keyword strings could produce unintended query text.
The helper sends the user-provided keyword to external SEO/search-suggestion APIs. This is expected for keyword research, but the Google Suggest query construction is not robustly URL-encoded/quoted for unusual keyword values.
curl -s -X POST "https://api.dataforseo.com/v3/keywords_data/google_ads/search_volume/live" ... "https://suggestqueries.google.com/complete/search?client=firefox&q=$(echo $KEYWORD | sed 's/ /+/g')"
Avoid entering secrets as keywords, and improve the helper by using safe URL and JSON encoding for user-supplied keyword values.
The skill may fail or behave differently on systems without those tools installed.
The included script depends on curl and python3, while the registry metadata lists no required binaries. This is an under-declared dependency issue rather than hidden behavior.
curl -s -X POST ... | \ python3 -c
Declare curl and python3 as required binaries, or document them clearly in setup instructions.
Generated content or images could become part of a public blog if committed and deployed.
The configuration points generated articles and images into a blog repository path, potentially on the main branch. That is aligned with the SEO publishing purpose, but changes could propagate through the normal publishing workflow.
- **Articles path**: ./content/blog/{locale}/slug.mdx
- **Images path**: ./public/blog/
- **Branch**: mainReview generated files and git diffs before committing, merging, or publishing them.