seo-technical-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs using the PageSpeed Insights API with the API key included directly in a curl URL parameter (key={api_key}), which requires embedding a secret verbatim into generated commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly runs firecrawl and curl against arbitrary domains and URLs (e.g., "firecrawl map {domain}", "firecrawl scrape {url}", scraping robots.txt, sitemap.xml, and page HTML) so it ingests untrusted public web content and uses that content to drive audit decisions and follow-up actions.