dataforseo-backlinks-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill requires constructing HTTP requests using HTTP Basic Auth (Authorization: Basic base64(login:password)) and lists user credentials as an explicit input, which means an agent could be prompted to collect and embed raw login:password values or their base64 form into generated requests/commands, creating an exfiltration risk even though env-var examples are shown.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill calls the DataForSEO API (base https://api.dataforseo.com/ and endpoints such as /v3/backlinks/backlinks/live and /v3/backlinks/summary/live) to retrieve backlinks, anchors, and referring-domain data aggregated from public websites and the open web, which is untrusted third-party content the agent will read and interpret as part of its workflow, enabling indirect prompt injection.