Skills
skills/nexscope-ai/nexscope-ecommerce-skills/keyword-research/Gen Agent Trust Hub

keyword-research

Pass

Audited by Gen Agent Trust Hub on Jun 28, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches keyword data from a remote API defined by the NEXSCOPE_PROXY_BASE environment variable.
  • [DATA_EXFILTRATION]: While the skill communicates with an external API, it is restricted to search parameters and marketplace identifiers necessary for its primary function. It uses the NEXSCOPE_API_KEY provided via environment variables to authenticate these requests.
  • [PROMPT_INJECTION]: The skill processes external data from the Jungle Scout API and interpolates keyword names directly into a Markdown report for the agent's context. This creates a surface for indirect prompt injection if the API source were to return malicious instructions in the keyword name fields.
  • Ingestion points: scripts/keyword_research.py fetches data via the NexScope proxy endpoint.
  • Boundary markers: The output uses Markdown tables and headers to structure data, but lacks explicit boundary markers to isolate potentially untrusted keyword strings.
  • Capability inventory: The agent is granted Bash, Read, and Write tools as specified in SKILL.md.
  • Sanitization: There is no evidence of string sanitization or escaping for the name field returned by the API before it is rendered in the final report.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 28, 2026, 07:05 AM
Security Audit — agent-trust-hub — keyword-research