kwp
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill runs a local Node.js script (scripts/kwp-fetch.mjs) to communicate with the DataForSEO API. This script uses only built-in Node.js functionality and performs its intended task without extra dependencies.
- [PROMPT_INJECTION]: The skill processes external data from an API, which is a potential surface for indirect prompt injection. This risk is addressed in SKILL.md with instructions to treat API output as non-executable text and use HTML escaping. Evidence: 1. Ingestion points: Keyword data from DataForSEO API. 2. Boundary markers: Explicit 'Untrusted Data Handling' section in SKILL.md. 3. Capability inventory: Local file system access, network connectivity, and subprocess execution. 4. Sanitization: Mandated HTML-escaping of values.
- [DATA_EXPOSURE]: The script accesses .env files to load API credentials and site-related environment variables. This access is localized and the data is only transmitted to the official DataForSEO API endpoint.
Audit Metadata