seo-flow
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
/seo flow synccommand defined inSKILL.mdtriggers the execution of a local script:python scripts/sync_flow_seo.py. This script performs operations on the local file system and modifies the skill's internal content. - [EXTERNAL_DOWNLOADS]: The synchronization logic is designed to pull updated content from an external "FLOW prompt repository" using the GitHub API or CLI. While the skill identifies the source as its own repository, the automated retrieval and installation of remote files represent an external dependency mechanism.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes untrusted user data (URLs and topics) and interpolates them into analysis prompts. This vulnerability could be exploited if the processed content contains malicious instructions designed to override agent behavior.
- Ingestion points: Multiple commands in
SKILL.md(e.g.,/seo flow find [url|topic],/seo flow optimize [url]) accept external input that is subsequently passed to the agent's context. - Boundary markers: The prompt templates located in the
references/prompts/directory do not employ delimiters or specific instructions to isolate or ignore potentially malicious content within the user-provided data. - Capability inventory: The skill has the capability to execute shell commands via the
/seo flow syncfunction. - Sanitization: The instructions do not specify any validation, escaping, or sanitization protocols for the ingested content before it is processed by the AI.
Audit Metadata