yandex-wordstat
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses official Yandex API endpoints (api.wordstat.yandex.net and api.direct.yandex.com) for its core functionality. It does not perform unauthorized data exfiltration or credential harvesting.
- [SAFE]: Instructions in 'config/README.md' and the 'scripts/get_token.sh' script guide the user through a standard OAuth authorization flow. The use of a '.env' file for token storage is a documented best practice for sensitive credentials.
- [SAFE]: Static detection of homoglyphs in 'config/README.md' is a false positive. The characters in the URL examples are standard Latin characters, and the surrounding text is in Russian, which is expected given the target service (Yandex). There is no evidence of typosquatting or phishing.
- [SAFE]: The Python script 'scripts/missed_demand.py' uses standard libraries (openpyxl, urllib, json) for processing local XLSX exports and making API calls. It includes robust sanitization logic for user-provided query segments to prevent syntax errors in the Wordstat API.
- [SAFE]: Shell scripts ('scripts/top_requests.sh', 'scripts/quota.sh', etc.) are well-structured, using local configuration and providing transparent output to the user. They do not execute remote code or modify system persistence settings.
Audit Metadata