by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it says (use a CLI to fetch SERP data and produce briefs), but take precautions before following its install instructions: avoid blindly running 'curl | sh' from a domain you don't fully trust; instead download the binary or installer manually and verify the SHA-256 checksum listed at the provided checksums URL. Understand that using the infsh CLI and its 'login' will create credentials/tokens and likely send crawled page content and queries to the inference.sh serv...详细分析 ▾
✓ 用途与能力
The skill's name and description (SEO content briefs, SERP analysis, keyword research) align with the runtime instructions which call a search/extraction CLI (infsh) to gather SERP data and extract top result content. There are no unrelated env vars, binaries, or configs requested.
ℹ 指令范围
SKILL.md instructs the agent/user to install and use the inference.sh CLI to run apps that query search results and extract page content — this is within scope for generating SEO briefs. However the docs show an 'infsh login' step (implying credentials/tokens) even though the skill declares no required credentials; the skill does not explicitly describe how login credentials are handled or stored.
⚠ 安装机制
The Quick Start recommends piping a remote script (curl -fsSL https://cli.inference.sh | sh) which downloads binaries from dist.inference.sh. Piping remote scripts to sh and downloading binaries from an external host are higher-risk actions unless you trust and verify the source. The SKILL.md mentions SHA-256 checksums and a manual verification URL, which mitigates risk if the user actually verifies them, but the default curl|sh pattern remains a notable concern.
ℹ 凭证需求
The skill declares no required environment variables or credentials (fine for an instruction-only skill). But it instructs running 'infsh login' and running apps that likely require an account/API access; this implicit need for auth is not declared. No extraneous unrelated credentials are requested by the SKILL.md itself.
✓ 持久化与权限
The skill does not request always:true, does not include an install spec that writes to unusual system paths, and does not claim to modify other skills or system-wide configuration. It is instruction-only and relies on a separate CLI the user would install manually or via the provided script.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.52026/2/10
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install seo-content-brief
镜像加速npx clawhub@latest install seo-content-brief --registry https://cn.longxiaskill.com