Skills
skills/themattberman/seo-kit/seo-forge/Gen Agent Trust Hub

seo-forge

Fail

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/seo-research.sh is vulnerable to shell command injection through an unquoted here-document.
  • Evidence: The script uses SERP_PAYLOAD=$(cat <<EOF ... "keyword": "$KEYWORD" ... EOF) to construct JSON data. Because the EOF delimiter is not quoted, the shell performs command substitution on the $KEYWORD variable before it is processed.
  • Impact: An attacker or a malicious keyword suggestion could execute arbitrary commands on the host system (e.g., using a keyword like $(id) or `rm -rf /`).
  • [EXTERNAL_DOWNLOADS]: The skill uses curl to communicate with the DataForSEO API (api.dataforseo.com) to fetch live search engine results and keyword data.
  • Context: This is a core feature of the skill for performing SEO research. The operations are performed over HTTPS and target a well-known service provider.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 21, 2026, 07:27 PM