seo-opportunity-finder
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill utilizes a surface for Indirect Prompt Injection by processing data from external websites (sitemaps, RSS feeds, and competitor pages). However, given the skill's purpose (SEO reporting) and limited capability set, this is considered a standard functional risk rather than a malicious finding.
- Ingestion points: Website sitemaps, RSS feeds, and HTML content from user-specified and competitor domains.
- Boundary markers: The instructions do not define specific delimiters for the fetched content.
- Capability inventory: Web fetching, web searching, and file system write operations to save the report.
- Sanitization: No explicit content validation or sanitization is described in the provided logic.
- [EXTERNAL_DOWNLOADS]: The skill fetches SEO metrics from Apify's Semrush scraper. This is a well-known service integration and is documented neutrally as it represents intended functionality using an official API token.
- [SAFE]: Sensitive information like API tokens is managed via the
APIFY_API_TOKENenvironment variable, which aligns with security best practices for avoiding hardcoded credentials.
Audit Metadata