Seo Prospector

Automated SEO prospect research and outreach for web designers, agencies, and freelancers. Use when researching local business prospects, running scheduled p...

What to check before installing or running: - Read the Python scripts (especially seo_quick_audit.py, perplexity_search.py, create_outreach.py, daily_summary.py, prospect_tracker.py, verify_prospect.py) for any network calls and where they send data. Grep for strings like requests.post, requests.get, smtplib, smtp, discord, webhook, twilio, linkedin, perplexity, api_key, TOKEN, PASSWORD, os.environ, subprocess, socket, or hardcoded URLs/IPs. - Identify required credentials: the code likely needs API keys/webhooks (Perplexity, Discord), SMTP credentials or an outbound mail service, and any SMS/LinkedIn automation tokens. The skill does not declare these — confirm how credentials are provided and where they are stored (avoid plaintext in repo). If credentials are required, prefer storing them in well-scoped environment variables or a secrets manager rather than plaintext config files. - Confirm whether the scripts actually send messages or only generate drafts: inspect create_outreach.py and generate_outreach_batch.py to see if they attempt to deliver emails/DMs or only write files for manual review. If they send messages, verify rate limits, sending channels, and opt-in/opt-out handling to reduce legal/spam risk. - Run the code in an isolated environment (container or VM) first. Perform static checks (python -m py_compile, linting) and run with network access blocked to see what files are written locally. Then selectively enable network to test individual integrations. - Check for hardcoded personal info or third-party endpoints (clawhub.json references a louisvillewebguy homepage/support). If you plan to publish or use the skill commercially, replace sample agency PII in examples and config-template.json. - Consider privacy and legal concerns: automated cold outreach can violate platform terms (LinkedIn, Instagram, Twilio) and anti-spam laws (CAN-SPAM, TCPA). Ensure you have lawful basis and consent for messaging targets. If you want, paste the contents of the key Python scripts here (or allow me to scan them) and I can point to exact lines that require credentials or communicate externally — that would raise confidence and allow a more specific recommendation.

Type: OpenClaw Skill Name: seo-prospector Version: 1.0.0 The skill is classified as suspicious due to multiple shell injection vulnerabilities and a significant prompt injection vulnerability. Specifically, `scripts/seo_quick_audit.py` and `scripts/verify_prospect.py` pass user-controlled URLs and domains directly to `curl` and `whois` commands via `subprocess.run` without explicit sanitization, creating potential shell injection risks. Furthermore, `scripts/research_prospect.py` constructs an LLM prompt for `openrouter.ai` that incorporates content derived from user input (via `perplexity_search.py`), making it vulnerable to prompt injection if a malicious query is crafted. While the skill's stated purpose is benign, these vulnerabilities could be exploited by a compromised agent or malicious user to execute arbitrary commands or manipulate LLM behavior.