seo-analyzer
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions involve reading sensitive API keys from a local JSON file at
~/.gooseworks/credentials.jsonto authenticate proxy requests. - [COMMAND_EXECUTION]: Employs
python3 -cone-liners to parse local JSON configuration files and export values to the shell environment. - [EXTERNAL_DOWNLOADS]: Utilizes
npxfor installation (npx goose-skills install) and authentication (npx gooseworks login), which downloads and executes code from the npm registry. - [COMMAND_EXECUTION]: Performs network requests via
curlto theapi.gooseworks.aiinfrastructure to perform SEO tasks. - [PROMPT_INJECTION]: The skill processes untrusted data from external websites (via SEO crawling), which presents an indirect prompt injection surface.
- Ingestion points: Website content is retrieved from external URLs using Scrapegraph and Tavily APIs as defined in SKILL.md.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing site content.
- Capability inventory: The skill uses
curlfor network operations andpython3for local command execution. - Sanitization: No sanitization or filtering logic is provided for the ingested website data.
Audit Metadata