Use when the user wants to turn [Dageno](https://dageno.ai/?utm_source=github&utm_medium=social&utm_campaign=official) GEO opportunities into a real-fanout b...
Security Analysis
medium confidenceThe skill generally matches its stated purpose (turn Dageno data into editorial packages and optionally publish to WordPress) but there are inconsistencies in declared required secrets and the runtime surface that warrant caution before installing or providing credentials.
The skill's name and description (Dageno -> fanout backlog -> article -> optional WordPress publish) align with the files present (client, citation crawling, wordpress integration, CLI, workflows). Requiring python3 is expected. However, the registry-level 'Requirements' block only lists DAGENO_API_KEY while SKILL.md's internal metadata and many code files indicate additional optional integrations (FIRECRAWL_API_KEY, WORDPRESS_SITE_URL, WORDPRESS_USERNAME, WORDPRESS_APP_PASSWORD). That mismatch is an inconsistency to verify.
SKILL.md instructs the agent to call the geo_content_writer CLI (PYTHONPATH=src python -m geo_content_writer.cli ...) to build fanout, crawl citation pages, analyze patterns, generate briefs, and optionally publish to WordPress. Crawling top citation pages and 'optional web research' implies outbound HTTP/HTTPS calls to arbitrary sites (expected for citation analysis) — this is coherent with the skill's purpose but expands the runtime network footprint and can touch many external sites and HTML content.
There is no install spec; the package is instruction/code-only and expects python3 and a PYTHONPATH run. This is low-risk compared with remote binary downloads. The presence of many source files means the code will run locally, but nothing in the manifest indicates an automated installer or remote executable fetch.
The top-level registry metadata (Requirements) only lists DAGENO_API_KEY as required, but SKILL.md's embedded metadata and code indicate additional sensitive environment variables (FIRECRAWL_API_KEY and full WordPress credentials). WordPress app passwords and web-crawl API keys are sensitive and should only be provided if you intend to use those features. The skill's declared primaryEnv is DAGENO_API_KEY, which is appropriate, but the discrepancy between the registry summary and SKILL.md is a red flag: you should confirm exactly which credentials the code will attempt to read and transmit.
The skill is not marked 'always: true' and uses the default model-invocation behavior. It does not request system-wide persistence in the metadata (no config paths beyond project-local knowledge/backlog files). This privilege surface is typical for a CLI-style skill and is not unusually broad.
Guidance
Before installing or providing credentials: 1) Confirm which environment variables you actually need (the registry summary lists only DAGENO_API_KEY, but SKILL.md mentions FIRECRAWL_API_KEY and WORDPRESS_* vars). 2) If you won't publish to WordPress or run citation crawling, avoid supplying WORDPRESS_APP_PASSWORD and FIRECRAWL_API_KEY. 3) Inspect the included src files (client.py, wordpress.py, citation_crawl.py, workflows.py) for where keys are sent and what external endpoints are contacted. 4) Run the tool in an isolated environment (dedicated VM or container) and with least-privilege API keys (scoped tokens) to limit blast radius. 5) If you plan to use WordPress publishing, consider creating a WordPress account/app password scoped to a test site or limited user. 6) If you need help verifying which env vars are actually referenced at runtime, share the specific client.py / wordpress.py call sites and I can inspect them and explain the outbound requests in detail.
Latest Release
v0.7.3
Add batch-run workflows, brand mode, auto-revise support, root SKILL.md packaging, and wrapper improvements for the Dageno GEO content workflow.
Popular Skills
Published by @geo-seo on ClawHub
