ClawHub

SEO article cluster builder

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SEO workflow skill that researches sites, generates article clusters, and validates output, with no credential access, persistence, or hidden execution.

Install only if you want an agent to perform SEO cluster research and generate publishing-ready HTML. Give it domains and competitor topics you are comfortable having searched externally, confirm the target language/market before use, and review redirects, links, schema, and final copy before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list and directive to "always use this skill" are overly broad, which can cause the agent to invoke the skill for generic SEO/content requests without clear user intent or informed consent. In this skill's context, that matters because the workflow mandates fetching live client and competitor data, so over-triggering can expand data collection and external access beyond what the user reasonably expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to fetch live client-site and competitor data first, but it does not provide a user-facing warning or consent checkpoint before performing that external retrieval. This creates a transparency and privacy risk: users may unknowingly trigger browsing against third-party sites and expose confidential project domains, research intent, or browsing behavior to external services.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill hard-codes Vietnamese-language keyword research for the target keyword, which can override user intent, business locale, or the actual market being analyzed. This can produce misleading competitor analysis and content strategy, especially for non-Vietnamese sites or multilingual environments, causing incorrect SEO decisions and wasted effort.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The template hard-codes the HTML language to Vietnamese (`lang="vi"`) and uses Vietnamese UI text throughout without any user preference check. In a general-purpose agent skill, this can cause incorrect-language output, misleading metadata, malformed locale targeting, and downstream publishing mistakes when the user expects another language or market.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal