seo-geo-optimizer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs use of an IndexNow key passed directly on the command line (e.g., --key YOUR_KEY) and even suggests generating a key into ./public, which requires embedding or handling secret values verbatim in commands—an explicit high-risk pattern for secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly includes Phase 3 scripts (e.g., serp_analyzer.py's fetch_serp_results, competitive_analyzer.py, and serp_feature_tracker.py) that fetch and parse top-10 SERP results and competitor URLs from the open web (public/untrusted third‑party pages), which the agent is expected to read and analyze as part of its workflow.