serp-feature-sniper
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to well-known and reputable SEO data providers including SerpAPI, Serper.dev, and DataForSEO to retrieve search engine results.
- [COMMAND_EXECUTION]: The installation metadata utilizes
npx goose-skills, which is a standard method for installing and managing agent capabilities via the npm registry. - [CREDENTIALS_UNSAFE]: The documentation provides guidance on using environment variables (e.g.,
SERPAPI_KEY,SERPER_API_KEY) to manage API authentication. No hardcoded secrets or credentials were found in the source code. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process data from external competitor websites via the
fetch_webpagetool. While this presents a potential surface for indirect prompt injection if those pages contain malicious instructions, the risk is inherent to the skill's primary function of web analysis. - Ingestion points: Competitor URLs processed through
fetch_webpageand SERP data from external APIs. - Boundary markers: Not explicitly defined in the provided prompt instructions.
- Capability inventory: Limited to web searching, page fetching, and report generation.
- Sanitization: Standard LLM processing is used; no specific sanitization logic for external content is implemented in the script.
Audit Metadata