keyword-wedge
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from several external and local sources, creating a surface for indirect prompt injection.
- Ingestion points: Scans the application codebase for UI copy and metadata (Phase 2), fetches search queries from Google Search Console (Phase 4), retrieves user behavior data from PostHog (Phase 4), and automates browsing of Google Keyword Planner (Phase 5).
- Boundary markers: Absent; the sub-agent prompts provided in the references do not utilize delimiters or specific instructions to ignore embedded commands within the ingested data.
- Capability inventory: Includes file system read/write access (within the .keyword-wedge/ directory), network fetching via WebFetch, and browser automation via Claude-in-Chrome.
- Sanitization: Absent; no validation or sanitization of the retrieved data is mentioned before it is processed into reports and state files.
- [SAFE]: The skill manages authentication securely by using placeholders for API keys and instructs the user to configure access separately. It targets well-known service domains for Google and PostHog APIs and maintains session state locally without exfiltrating sensitive information to unknown third-party servers.
Audit Metadata