seo-agi Security Report — Trusted | ClawSafe

5 /100

seo-agi

Generative Engine Optimization skill that writes SEO pages using DataForSEO and GSC data

Legitimate SEO content generation skill with proper credential handling, documented network access to SEO APIs, and no malicious behavior detected.

Skill Nameseo-agi

Duration49.0s

Enginepi

✓

Safe to install

No action required. The skill performs standard SEO research operations. Consider documenting pip install behavior in SKILL.md for transparency.

Findings 2 items

Severity	Finding	Location
Low	Unpinned pip dependency in setup script Supply Chain setup.py installs 'requests' via subprocess without strict version pinning. The requirements.txt does specify requests>=2.28.0, but setup.py does not use requirements.txt directly. `subprocess.check_call([sys.executable, '-m', 'pip', 'install', '--quiet'] + deps)` → Consider using pip install from requirements.txt or pinning versions: pip install requests==2.31.0	`scripts/setup.py:48`
Info	SKILL.md capability mapping is informal Doc Mismatch SKILL.md does not include a formal 'allowed_tools' or capability declaration section. Tool usage is inferred from the documented execution protocol. `SKILL.md uses documentation instead of formal metadata for tool declarations` → Add a formal capability declaration section to SKILL.md for transparency	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares config writes to ~/.config/seo-agi/ and output writes to ~/Doc…
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares DataForSEO and GSC API calls for research data
Shell	`NONE`	`WRITE`	✓ Aligned	setup.py:48 uses subprocess for pip install, documented as setup step
Environment	`READ`	`READ`	✓ Aligned	env.py:53-60 reads specific API key env vars (DATAFORSEO_, GSC_, AHREFS_*, SEM…
Database	`NONE`	`NONE`	—	No database access observed

10 findings

🔗

Medium External URL 外部 URL

https://dataforseo.com

README.md:241

🔗

Medium External URL 外部 URL

https://x.com/hreg15

README.md:361

🔗

Medium External URL 外部 URL

https://competitor1.com/jfk-parking

fixtures/serp_sample.json:25

🔗

Medium External URL 外部 URL

https://competitor2.com/airports/jfk/parking

fixtures/serp_sample.json:44

🔗

Medium External URL 外部 URL

https://schema.org

references/schema-patterns.md:10

🔗

Medium External URL 外部 URL

https://search.google.com/test/rich-results

references/schema-patterns.md:140

🔗

Medium External URL 外部 URL

https://validator.schema.org/

references/schema-patterns.md:141

🔗

Medium External URL 外部 URL

https://app.dataforseo.com/api-dashboard\n

scripts/setup.py:66

🔗

Medium External URL 外部 URL

https://other.com/page

tests/test_dataforseo.py:38

📧

Info Email 邮箱地址

[email protected]

tests/test_dataforseo.py:137

File Tree

20 files · 111.5 KB · 3123 lines

Python 10f · 1526L Markdown 7f · 1507L JSON 2f · 85L Text 1f · 5L

├─ ▾ 📁 fixtures

│ ├─ 📋 keywords_sample.json JSON 12L · 1.1 KB

│ └─ 📋 serp_sample.json JSON 73L · 2.5 KB

├─ ▾ 📁 references

│ ├─ 📝 page-templates.md Markdown 138L · 4.0 KB

│ ├─ 📝 quality-checklist.md Markdown 83L · 3.0 KB

│ └─ 📝 schema-patterns.md Markdown 141L · 2.8 KB

├─ ▾ 📁 scripts

│ ├─ ▾ 📁 lib

│ │ ├─ 🐍 __init__.py Python 1L · 26 B

│ │ ├─ 🐍 env.py Python 147L · 4.5 KB

│ │ ├─ 🐍 gsc_client.py Python 179L · 5.4 KB

│ │ └─ 🐍 serp_analyze.py Python 261L · 6.9 KB

│ ├─ 🐍 gsc_pull.py Python 96L · 3.3 KB

│ ├─ 🐍 research.py Python 358L · 11.0 KB

│ └─ 🐍 setup.py Python 160L · 5.3 KB

├─ ▾ 📁 tests

│ ├─ 🐍 test_dataforseo.py Python 149L · 4.6 KB

│ ├─ 🐍 test_env.py Python 50L · 1.4 KB

│ └─ 🐍 test_serp_analyze.py Python 125L · 4.0 KB

├─ 📝 CLAUDE.md Markdown 59L · 2.2 KB

├─ 📝 README.md Markdown 365L · 17.9 KB

├─ 📄 requirements.txt Text 5L · 115 B

├─ 📝 SKILL.md Markdown 522L · 25.2 KB

└─ 📝 SPEC.md Markdown 199L · 6.3 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`requests`	`>=2.28.0`	pip	No	Minimum version specified in requirements.txt
`google-auth`	`*`	pip (optional)	No	Optional dependency for GSC support, not installed by default
`google-api-python-client`	`*`	pip (optional)	No	Optional dependency for GSC support, not installed by default

Security Positives

✓ No credential exfiltration detected - API keys stored locally in ~/.config/seo-agi/.env only

✓ No obfuscation techniques - no base64, eval(), or dynamic code execution

✓ No sensitive path access - does not read ~/.ssh, ~/.aws, or similar credential directories

✓ No hidden functionality - all operations match documented behavior

✓ No reverse shell, C2 communication, or data theft patterns

✓ Environment variable access is targeted (specific API keys only), not enumerating all env vars

✓ Proper error handling with graceful fallbacks (mock mode when no API keys)

✓ Test suite includes unit tests for all core modules

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives