subkeyword-injector
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install external tools if not present, specifically 'agent-browser' and a 'Google Search Console (GSC) MCP'. These are non-standard dependencies that the agent might attempt to fetch from public registries.
- [COMMAND_EXECUTION]: The skill uses shell commands (
agent-browser,jq) to process web content. While standard for its purpose, it involves interpolating a user-provided URL into a command line, which requires careful handling by the underlying execution environment to prevent command injection. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It processes content from arbitrary URLs to 'propose (or apply) content edits' to local files. Malicious instructions embedded in the target web page could potentially influence the agent's behavior.
- Ingestion points: Web content via
agent-browser open <url>, Google Search Console query metrics, and manual CSV exports. - Boundary markers: None specified in the prompt to delimit untrusted data from instructions.
- Capability inventory: The skill has the ability to write to the local file system ('apply edits directly') and execute shell commands.
- Sanitization: No sanitization or validation steps are defined for the ingested SEO data or web content before it is used to determine file modifications.
Audit Metadata