Skills
skills/rebyteai-template/rebyte-skills/seo-analytics/Snyk

seo-analytics

Fail

Audited by Snyk on Feb 21, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly requires asking the user for a Google API key and shows/encourages passing it inline (CLI argument and appending &key=... to request URLs), which forces the agent to receive and potentially include the secret verbatim in generated commands or outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill's analyze.ts (and SKILL.md) explicitly fetches PageSpeed results for arbitrary user-supplied public URLs via the Google PageSpeed Insights API (see analyzeUrl which calls https://www.googleapis.com/pagespeedonline/v5/runPagespeed?url=...), and the script parses audit fields (titles/descriptions/displayValue) from those responses into actionable "opportunities" and report decisions, so untrusted third‑party page content can influence outputs.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 02:25 PM