Seo Scout Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This SEO tool mostly scouts website forms, but it also teaches stealthy automation and account-session reuse that can bypass site protections.
Review carefully before use. It may be acceptable for authorized form discovery, but do not use the stealth, anti-detect, Cloudflare bypass, or authenticated submission guidance against sites where you lack permission. Keep credentials out of shared configs, avoid personal OAuth sessions, and inspect any external CLI/helper code before running it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this as written could cause an agent to automate activity against third-party sites in ways that violate site rules, trigger blocks, or create abuse risk.
The skill instructs use of stealth/rebrowser automation for sites with basic Cloudflare WAF protection, which can facilitate evasion of anti-bot controls rather than only passive form analysis.
Loads target URL in stealth browser ... Level 1: Basic WAF ... rebrowser-playwright: ✅ Works ... Basic WAF → Use rebrowser ✅
Use only on sites you own or have explicit permission to test; avoid anti-detect/stealth bypass modes, require manual approval before submissions, and respect robots.txt, rate limits, and site terms.
An agent could act through the user's web accounts or stored credentials on arbitrary submission sites, creating account, privacy, and unauthorized-action risk.
The skill advises storing credentials and reusing cached OAuth sessions, while the metadata declares no credential requirement and the artifacts do not define scope, storage protections, or user approval boundaries.
Store credentials in config.yaml ... Subsequent: auto-select cached Google account ... Tip: do all OAuth sites in one browser session
Use separate low-privilege accounts, avoid raw password storage, do not reuse personal OAuth sessions, and require explicit user confirmation before any authenticated action.
The scanned package does not show all implementation code a user might be told to run.
The instructions reference CLI and browser helper code that is not present in the provided two-file manifest, so any user following those examples would need to inspect additional code outside this reviewed artifact set.
node src/cli.js scout https://target-directory.com --deep ... import { withBrowser, delay, humanType } from '../browser.js';Before running the referenced Node CLI or generated adapters, review the actual repository files, dependencies, and lockfiles.