serp-analyzer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes example curl commands and Basic auth that place API keys and login:password values directly into requests (e.g., api_key=${SERPAPI_API_KEY}, base64('${DATAFORSEO_LOGIN}:${DATAFORSEO_PASSWORD}')), which encourages embedding secrets verbatim in generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly performs web searches and fetches top-ranking public URLs (uses the WebSearch tool and WebFetch on the top 5–10 results and optional SerpAPI/DataForSEO/Semrush APIs), so it ingests and analyzes untrusted, third‑party web content as part of its workflow.