seo-analyzer

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructions involve reading sensitive API keys from a local JSON file at ~/.gooseworks/credentials.json to authenticate proxy requests.
  • [COMMAND_EXECUTION]: Employs python3 -c one-liners to parse local JSON configuration files and export values to the shell environment.
  • [EXTERNAL_DOWNLOADS]: Utilizes npx for installation (npx goose-skills install) and authentication (npx gooseworks login), which downloads and executes code from the npm registry.
  • [COMMAND_EXECUTION]: Performs network requests via curl to the api.gooseworks.ai infrastructure to perform SEO tasks.
  • [PROMPT_INJECTION]: The skill processes untrusted data from external websites (via SEO crawling), which presents an indirect prompt injection surface.
  • Ingestion points: Website content is retrieved from external URLs using Scrapegraph and Tavily APIs as defined in SKILL.md.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing site content.
  • Capability inventory: The skill uses curl for network operations and python3 for local command execution.
  • Sanitization: No sanitization or filtering logic is provided for the ingested website data.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:18 AM
Security Audit — agent-trust-hub — seo-analyzer