dataforseo-labs-api
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill processes untrusted data from an external API, creating a risk for indirect prompt injection.\n
- Ingestion points: Retrieves data from DataForSEO Labs endpoints (e.g., SERP results, keyword ideas, domain data) in
SKILL.md.\n - Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the processing logic.\n
- Capability inventory: Possesses network capabilities via cURL to interact with external APIs.\n
- Sanitization: No evidence of sanitization or validation of the external API payloads before processing by the agent.\n- [Metadata Poisoning] (MEDIUM): The skill's metadata claims it was generated with 'OpenAI GPT-5.2', a non-existent version at the time of analysis, which is deceptive and may mislead users about the skill's origin or capabilities.\n- [Data Exposure & Exfiltration] (LOW): The skill performs outbound network operations to
api.dataforseo.comanddocs.dataforseo.com, which are not on the trusted domain whitelist.
Audit Metadata