pp-semrush
Pass
Audited by Gen Agent Trust Hub on May 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to install the
semrush-pp-clitool usingnpxfrom@mvanhorn/printing-press-libraryandgo installfromgithub.com/mvanhorn/printing-press-library. These sources are associated with the developer's official infrastructure. - [COMMAND_EXECUTION]: The agent uses the
Bashtool to execute thesemrush-pp-clibinary for processing SEO data and managing project configurations. - [PROMPT_INJECTION]: The skill has an indirect prompt injection attack surface because it ingests data from the external Semrush API.
- Ingestion points: Output from Semrush API calls processed via
semrush-pp-cli(SKILL.md). - Boundary markers: Uses a structured JSON response envelope with a
resultsfield to separate data from metadata (SKILL.md). - Capability inventory: The agent has the ability to execute shell commands via the
Bashtool (SKILL.md). - Sanitization: No explicit mention of sanitizing or escaping content retrieved from the API before it is processed by the agent context.
Audit Metadata