ClawHub

Seo Autopilot

v1.0.0

Run local SEO autopilot for boll-koll.se or hyresbyte.se and return PR link plus summary.

1· 2.6k·17 current·19 all-time
by@adamhjort
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included script's intent: run an SEO tool for two allowlisted sites and return a PR link. However, the skill depends on an external 'seo-autopilot' CLI binary that is not declared in requirements or an install spec. Requiring a host-provided binary without documenting it is disproportionate and unclear.
!
Instruction Scope
SKILL.md explicitly restricts actions to running scripts/run.sh <site> and to the two allowlisted sites, which is good. But SKILL.md also says the agent should include the top 3 findings from SEO_REPORT.md if it exists — there is no code that reads that file, and the allowed-tools list includes exec which could be used to read arbitrary files if the agent deviates. The script itself only runs an external program and echoes its output; the agent would need to run extra commands to implement the SEO_REPORT.md behavior, which is an inconsistency.
!
Install Mechanism
There is no install spec. The provided script calls an external 'seo-autopilot' program (seo-autopilot "$SITE") which is neither provided nor installed by the skill. This reliance on an undeclared binary is a high-risk omission: the execution will succeed only if a binary named 'seo-autopilot' exists on PATH (which could be benign or attacker-controlled).
Credentials
The skill requests no environment variables, no credentials, and no config paths — these are proportionate to the stated task.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. It does allow exec (normal for instruction-only skills).
What to consider before installing
Do not install or run this skill until you verify the origin and contents of the 'seo-autopilot' program it calls. Ask the author: (1) where does the 'seo-autopilot' binary come from (official repo/release URL and version)? (2) provide an install spec or include source code and a reproducible build, plus checksums/signature for any binaries. If you must test it, run inside a tightly sandboxed environment (isolated container) and inspect what the 'seo-autopilot' binary does (network endpoints, file accesses). Also clarify how SEO_REPORT.md is supposed to be read (the script does not read it) and restrict exec permissions so the agent cannot run arbitrary commands beyond scripts/run.sh.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vargn23065venk1tszxvan80pext
2.6kdownloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@adamhjort
latest
Download

seo-autopilot

Usage (WhatsApp / chat)

  • seo
  • seo boll-koll.se
  • seo hyresbyte.se

Default site: boll-koll.se

Safety

Only allow: boll-koll.se, hyresbyte.se
Never run arbitrary commands. Only run:

  • scripts/run.sh <site>

Behavior

  1. Parse site from the message, default to boll-koll.se.
  2. Refuse if site is not in allowlist.
  3. Run: scripts/run.sh <site>
  4. Extract PR url from stdout (line starting with "PR:").
  5. If SEO_REPORT.md exists in the repo, include the top 3 findings in the reply.

Comments

Loading comments...