seo-content-audit
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions prompt the agent to build and execute shell commands by interpolating variables like [domain], [competitors], and [keywords] directly into a bash command string.
- Evidence: In SKILL.md, Phases 2, 3, and 4 provide command templates like
python3 skills/site-content-catalog/scripts/catalog_content.py --domain "[domain]". If these variables contain shell metacharacters such as backticks, semicolons, or double quotes, an attacker could execute arbitrary code on the host system. - [DATA_EXFILTRATION]: The skill sends business-sensitive information to external third-party SEO platforms.
- Evidence: The skill requires an
APIFY_API_TOKENand transmits target domains, competitor lists, and strategic keywords to external endpoints (Apify, Semrush, Ahrefs) as part of its core functionality. - [PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection via processed web content.
- Ingestion points: Phase 2 and Phase 6 involve automated crawling and fetching of content from arbitrary external websites.
- Boundary markers: The skill lacks specific delimiters or instructions to treat external web content as untrusted data, increasing the risk that embedded malicious instructions could influence agent behavior during synthesis.
- Capability inventory: The agent has the authority to execute local scripts via python3 and write analysis reports to the filesystem.
- Sanitization: No evidence is provided for sanitizing or filtering the content fetched from websites before it is analyzed by the language model.
Audit Metadata