Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seo Scout Pro
v1.0.0Website submit page discovery and form analysis tool. Scout any website to find submission forms, detect authentication requirements, identify CAPTCHAs, and...
⭐ 0· 59·0 current·0 all-time
bybytesagain4@xueyetianya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and script.sh focus on discovering submission pages and automating form submissions (including adapter templates that use a headless browser). That matches the name/description. However, the skill does not declare required binaries or dependencies even though it repeatedly references node, python3, curl, and browser-based automation (Playwright/rebrowser). The absence of declared runtime requirements is an incoherence: someone building this would legitimately need those dependencies.
Instruction Scope
Runtime instructions include automatic crawling, form filling, OAuth automation strategies, CAPTCHA detection, Cloudflare challenge heuristics, and an explicit 'anti-detect' (browser stealth) guide. While these fall under the stated purpose (automating submissions), the guidance for stealth/anti-detection and automated handling of auth flows increases misuse risk (spam/abuse/credential automation). The instructions also advise storing credentials in config.yaml and discuss automating OAuth flows — the skill does not constrain or clarify how credentials are handled or protected.
Install Mechanism
No install specification is provided (instruction-only), which minimizes direct install risk. However, the provided files and templates assume additional tooling (Node, Playwright/rebrowser, python3, curl). The skill ships a script.sh (documentation/usage) but has no install steps to obtain Playwright/browser binaries; this mismatch is noteworthy because runtime will fail or prompt arbitrary installs if the agent attempts to execute those commands.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md, however, instructs storing account credentials in config files and discusses OAuth and magic links — which implies the operator will supply sensitive data. The skill does not request or document how to store or protect such secrets, nor does it provide environment variable usage, creating a gap between expected secret handling and declared requirements.
Persistence & Privilege
The skill is not force-enabled (always: false) and uses normal autonomous invocation settings. It does not request persistent system-wide configuration or attempt to modify other skills. No privilege escalation indicators were found in metadata.
What to consider before installing
This skill appears to do what it says (find and analyze submission forms and provide automation templates), but there are important caveats: 1) It expects runtime tools (node, Playwright/rebrowser, python3, curl, a browser) that are not declared — verify and install these from trusted sources before running. 2) The SKILL.md contains explicit 'anti-detect' and automation guidance that can be used to evade protections; consider the legal and terms-of-service implications of automating submissions and evasive behavior. 3) The skill discusses storing credentials (config.yaml) and automating OAuth flows but doesn't specify secure handling — never supply real account credentials to untrusted code or allow the agent to store secrets without encryption. 4) If you plan to use this skill, review and run the included code in an isolated environment, audit any third-party dependencies (Playwright, npm packages), and consider disabling autonomous invocation or restricting the skill's scope until you've validated it. If you need, supply the list of dependencies and the content of any other code files for a deeper review.Like a lobster shell, security has layers — review code before you run it.
latestvk975sdx865h18tk98k0r4x8xds83gb63
License
MIT-0
Free to use, modify, and redistribute. No attribution required.