seo-aeo-audit
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (SAFE): The scripts
pagespeed.shandsearch-console-export.mjsmake network requests togoogleapis.com. According to the [TRUST-SCOPE-RULE], Google is a trusted organization, and these operations are necessary for the skill's primary function of SEO analysis. - COMMAND_EXECUTION (LOW): The script
lighthouse.shexecutes thelighthousecommand-line tool. While this involves sub-process execution, it is the intended purpose of the script to wrap this auditing tool. The input URL is sanitized before being used in a filename, though it is passed directly to the CLI tool. - DATA_EXFILTRATION (SAFE): The scripts perform network operations to retrieve data (SEO metrics and search analytics). There is no evidence of sensitive local files (like SSH keys or AWS credentials) being accessed or transmitted.
- CREDENTIALS_UNSAFE (SAFE): The skill handles authentication correctly by requiring environment variables (
PAGESPEED_API_KEYandGSC_ACCESS_TOKEN) rather than hardcoding secrets within the scripts. - INDIRECT_PROMPT_INJECTION (LOW): The skill ingests data from external URLs via Lighthouse and PageSpeed. This creates a data ingestion surface (Category 8). However, the output is structured JSON intended for reporting, and there are no high-risk capabilities like
eval()orsudopaired with this data ingestion.
Audit Metadata