geo-aeo-optimizer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the user for an OpenAI API key and explicitly shows passing it as a command-line argument (--api-key KEY) for competitor discovery, which requires embedding the secret verbatim in generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (SKILL.md Step 1b and Step 2) explicitly uses WebFetch to retrieve arbitrary webpage HTML (user-provided URLs and discovered competitor URLs) and then analyzes that untrusted public content (via scripts/analyze_page.py and scripts/discover_competitors.py) to drive scoring, gap analysis, and rewrites—allowing third-party page content to materially influence agent decisions and actions.