seo-domain-analyzer
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill handles the APIFY_API_TOKEN and transmits it to api.apify.com via query parameters in the run_apify_actor function within scripts/analyze_domain.py. This is a security concern as URL parameters are often logged by web servers and proxies.
- [COMMAND_EXECUTION]: The analyze_domain.py script allows writing output to paths specified via the --output and --markdown arguments. Without path validation, this could potentially be used to overwrite sensitive files if the agent is directed to an unsafe location.
- [EXTERNAL_DOWNLOADS]: The skill utilizes external Apify actors to perform its primary scraping functions. While Apify is a well-known service, the skill's functionality depends on these third-party scripts.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted text (keywords, competitor names, and SEO metadata) from scraped web content. (1) Ingestion points: External data enters the system through Apify actor datasets in the fetch_semrush_data, fetch_ahrefs_data, and check_keyword_rankings functions. (2) Boundary markers: There are no delimiters or instructions used to separate the external data from the agent's internal logic. (3) Capability inventory: The skill can perform network requests and write to the filesystem. (4) Sanitization: The script does not sanitize or validate the content of the strings returned by the scrapers before including them in the output report.
Audit Metadata