seo-analytics

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires asking the user for a Google API key and shows/encourages passing it inline (CLI argument and appending &key=... to request URLs), which forces the agent to receive and potentially include the secret verbatim in generated commands or outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill calls the Google PageSpeed Insights API (analyzeUrl builds requests to https://www.googleapis.com/pagespeedonline/v5/runPagespeed?url=...) for arbitrary user-supplied public URLs and embeds returned audit.title/description and other audit fields into the generated HTML report, so it ingests and displays untrusted third-party web content.