search-visibility-optimizer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt asks the user for an OpenAI API key for competitor discovery and shows using it verbatim in a command-line argument (--api-key {KEY}), which requires the LLM/agent to handle and emit the secret value directly (high exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches arbitrary target and competitor webpages (SKILL.md Step 3: "Use WebFetch to retrieve the page HTML" and fetch /robots.txt and /llms.txt), and the included scripts (scripts/analyze_page.py, scripts/technical_checker.py, scripts/fix_generator.py, scripts/discover_competitors.py) parse and act on that untrusted public web content to drive scoring, competitor selection, and generated fixes (robots/meta/schema), so third-party page content can materially influence agent decisions and follow-up actions.