by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement a legitimate SEO research and page-generation workflow, but there are some red flags you should address before installing or supplying credentials:
- Metadata mismatch: The registry claims no env vars are required, but the code and SKILL.md expect DataForSEO credentials, GSC service-account/OAuth credentials, and optional Ahrefs/SEMRush API keys. Treat that omission as a warning sign and ask the publisher to correct the metadata.
- Audit the code: Review scripts/...详细分析 ▾
⚠ 用途与能力
The skill claims to be an SEO/GEO content generator, and the included scripts (DataForSEO client, GSC client, research/analysis) are appropriate for that purpose. However the registry metadata declares no required environment variables or credentials, while SKILL.md and the code clearly expect DataForSEO login/password, Google Search Console service-account or OAuth credentials, and optional AHREFS/SEMRUSH API keys. Omitting these requirements from the metadata is an incoherence that can mislead users about what access the skill needs.
ℹ 指令范围
SKILL.md instructs the agent to run local scripts that: perform live SERP queries, parse competitor pages, search for official PDFs (filetype:pdf), use GSC to pull owned-site query data, and save research/outputs under ~/.local/share/seo-agi and ~/Documents/SEO-AGI. Those actions are within the stated SEO purpose, but they involve reading/writing files in the user's home and accessing potentially sensitive site analytics. The runtime instructions also require locating the skill root in various user-specific paths (home directories and tool-specific skill directories).
✓ 安装机制
There is no install spec (instruction-only from the registry), so nothing is automatically downloaded or executed by an installer. Code files are bundled in the skill, meaning an operator (or the agent) could run local Python scripts, but there is no external URL download or obscure installer specified in the registry metadata.
⚠ 凭证需求
The registry shows 'required env vars: none' but the code and SKILL.md explicitly read ~/.config/seo-agi/.env and expect DATAFORSEO_LOGIN, DATAFORSEO_PASSWORD, GSC_SERVICE_ACCOUNT_PATH (or OAuth creds), and optional AHREFS/SEMRUSH API keys. Requesting these credentials is proportionate to the SEO task, but the omission from the declared requirements is an inconsistency. Users should treat these as sensitive credentials (especially GSC service-account files) and only provide least-privilege, read-only credentials after auditing the code.
ℹ 持久化与权限
always:false (normal) and the skill does not request to force-enable itself. The code will create and write directories/files under ~/.local/share/seo-agi, ~/.config/seo-agi, and ~/Documents/SEO-AGI, which gives it persistent local presence (research caches, briefs, pages). That is reasonable for a research tool but users should be aware it will store data in their home directory and ensure disk write locations and retention behavior are acceptable.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/18
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install seo-agi
镜像加速npx clawhub@latest install seo-agi --registry https://cn.longxiaskill.com镜像同步中