ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEO Optimizer Pro

v1.0.8

AI-powered SEO content analysis and optimization for improved Google ranking and visibility in emerging AI search platforms like ChatGPT and Claude.

9· 2.7k·6 current·7 all-time
byvs@vedantsingh60
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (SEO + AEO optimization) aligns with the included Python code and SKILL.md: it analyzes content locally and sends text only to the chosen AI provider. However, the top-level registry requirement block in the submitted metadata (which listed no required env vars / no primary credential) conflicts with the manifest, README, LICENSE and code that require at least one provider API key. This metadata mismatch is an incoherence to be resolved.
Instruction Scope
SKILL.md and README instruct the agent to parse content, run local analyses, and send only the content excerpt to a user-selected AI provider via that provider's SDK. There are no instructions to read unrelated system files, exfiltrate data outside the chosen AI provider, or contact unexpected endpoints beyond the documented providers.
Install Mechanism
No installation script is included (instruction-only install), and dependencies are standard provider SDKs listed in requirements.txt/manifest. The package recommends installing only the SDK for the provider you plan to use, which is proportionate to the functionality. No arbitrary download URLs or extract steps are present.
Credentials
Requesting an API key for the chosen AI provider is reasonable for this skill. The code and manifest expect a single provider API key (resolved by model prefix). However, the top-level registry metadata earlier in the submission states 'no required env vars / primary credential none', while manifest.yaml and code enumerate many different provider env vars. That mismatch (manifest lists many required_env_vars as if they are all required) is misleading and increases risk if users supply multiple keys unnecessarily.
Persistence & Privilege
The skill does not request permanent system presence (always: false) and does not modify other skills or global agent settings. It runs locally and uses environment variables for API keys. Autonomous invocation is allowed (default) but not combined with other high-risk factors here.
What to consider before installing
This skill's behavior (local analysis + sending content to your chosen AI provider) matches its stated purpose, but there are metadata inconsistencies you should resolve before installing. Actionable steps: - Do not provide multiple provider API keys by default. Only set the environment variable for the single provider/model you will use. - Verify which env var the model you plan to call requires (e.g., ANTHROPIC_API_KEY for claude-*, OPENAI_API_KEY for gpt-*). The code will error if the required env var is missing. - The registry-level metadata in this package incorrectly states 'no required env vars' despite the manifest and code requiring a provider key; consider this a sign of sloppy packaging. If you rely on registry metadata, confirm with the manifest/README or the source repository. - Review the included source (seo_optimizer.py) yourself or have an engineer inspect it to confirm no hidden network calls or unexpected file access beyond the documented provider SDKs. - Test with non-sensitive sample content and a throwaway API key (or minimal-privilege account) before analyzing private data. Check the chosen provider's data-retention and privacy policies because your content will leave your machine to that provider. - Confirm the project/source repository (manifest references GitHub) and contact the author if you need clarification about the metadata mismatch or distribution/restrictions in LICENSE.md. If these checks pass and you only set the single provider key required for your chosen model, the skill appears coherent with its purpose. If the author cannot explain the metadata mismatch or the package requests multiple unrelated secrets at runtime, avoid installation.

Like a lobster shell, security has layers — review code before you run it.

aeovk97cgnbg6g5qy31yg18baphdbh80cevyai-optimizationvk97cgnbg6g5qy31yg18baphdbh80cevyai-searchvk97cgnbg6g5qy31yg18baphdbh80cevycontent-analysisvk97cgnbg6g5qy31yg18baphdbh80cevycontent-optimizationvk97cgnbg6g5qy31yg18baphdbh80cevycopywritingvk97cgnbg6g5qy31yg18baphdbh80cevykeyword-analysisvk97cgnbg6g5qy31yg18baphdbh80cevylatestvk979njxmaazabjv4nv8taks0c584gw8nmarketing-techvk97cgnbg6g5qy31yg18baphdbh80cevyreadabilityvk97cgnbg6g5qy31yg18baphdbh80cevyseovk97cgnbg6g5qy31yg18baphdbh80cevyseo-toolsvk97cgnbg6g5qy31yg18baphdbh80cevytechnical-seovk97cgnbg6g5qy31yg18baphdbh80cevy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments