Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SEO Intel
v1.2.5Local SEO competitive intelligence tool. Use when the user asks about SEO analysis, competitor research, keyword gaps, content strategy, site audits, AI cita...
⭐ 0· 112·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a local SEO crawler/analyzer yet the registry metadata lists no required binaries or env vars. The instructions call out npm (npm install -g seo-intel), Playwright (for crawling), Ollama/Qwen (local extraction), and OpenClaw cloud models (analysis). Those runtime dependencies are not declared in metadata, which is an incoherence: a routing/installation expectation is hidden in the prose rather than the manifest.
Instruction Scope
SKILL.md instructs the agent/user to crawl target and competitor sites, store data in a local SQLite ledger, run local model extraction or route analysis to OpenClaw cloud models, and serve a dashboard at localhost:3000. That workflow will collect full page content and metadata and (per the doc) send it to external cloud models for analysis. The instructions do not clearly document what is sent to external services or what config files 'setup' will read (it says 'detects OpenClaw automatically'), so there's an unquantified risk of sensitive data being uploaded.
Install Mechanism
The skill is instruction-only in the registry (no install spec, no code files), but SKILL.md tells the user to run `npm install -g seo-intel` and `seo-intel setup`. That implies an external npm package will be downloaded/installed at runtime outside the skill registry. Because the registry doesn't include an install provenance or release host, that external install step is a higher-risk action (arbitrary code from npm) and should be treated with caution.
Credentials
The manifest declares no required environment variables or credentials, yet the workflow depends on other systems: Ollama (local model host) and OpenClaw cloud models. The doc claims 'no API keys to manage' which implies reliance on platform routing or existing agent credentials; this is a mismatch that could mean crawled content is sent via the agent/platform to a cloud model without explicit credential prompts or clear user consent.
Persistence & Privilege
always:false (normal). The tool will create a local SQLite database and an 'Intelligence Ledger' that persists across runs, and can run a local web server on localhost:3000. Those are expected for this type of utility, but they do create persistent local data and a long-lived local service that may hold sensitive extracts. No evidence of modifying other skills or system-wide agent configuration was found in the provided docs.
What to consider before installing
Before installing or running this skill: 1) Don't blindly run `npm install -g seo-intel` — inspect the npm package and its source repository first. 2) Understand where analysis runs: the docs reference OpenClaw cloud models — assume crawled page content may be sent off-host unless you verify otherwise. Avoid crawling private/intranet sites or any pages containing sensitive data. 3) Expect additional installs (Playwright, Ollama, possibly system libs) and review those requirements. 4) The tool stores data in a local SQLite ledger and can serve a dashboard on localhost:3000 — secure that server and the DB, and consider running in an isolated environment or VM. 5) Ask the skill author for: (a) exact npm package name and repository/commit, (b) a clear list of what is uploaded to cloud models and where, and (c) explicit runtime requirements and any files/configs the 'setup' command will read. If you need to keep data private, do not run the 'analyze' step until you confirm analysis can be performed fully locally.Like a lobster shell, security has layers — review code before you run it.
latestvk972vf9jg7k71kxnr639edavb583zdem
License
MIT-0
Free to use, modify, and redistribute. No attribution required.