ClawHub

SEO Audit Pro

Security checks across malware telemetry and agentic risk

Overview

This skill performs a disclosed SEO audit on a user-provided website and does not show hidden credential access, persistence, destructive behavior, or unrelated data collection.

Install only if you want a lightweight SEO audit helper that can make web requests to the URLs you provide. Use it on sites you own or have permission to test, avoid private/internal URLs, and treat the report as a basic single-page technical and on-page audit rather than a full Core Web Vitals or competitive content-gap analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill instructs the agent to run a local Python script against an arbitrary user-supplied URL, which implies network access and potentially file output/temporary report generation, but it declares no permissions. That mismatch is dangerous because it hides the skill's real execution and data-access capabilities from the permission model and reviewers, reducing transparency and increasing the chance of unintended network use or unsafe processing of untrusted input.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad enough to match many ordinary requests about websites, rankings, audits, or content, which can cause the skill to activate unexpectedly. In context, unexpected activation is more concerning because the workflow then runs a script against a supplied URL, potentially causing unnecessary outbound requests or analysis on untrusted targets without clear user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal