geo-content-optimizer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to instructions embedded in external content it fetches.\n
- Ingestion points: Step 1 in
SKILL.mdallows input via '网页 URL (使用 WebFetch 获取)'.\n - Boundary markers: There are no delimiters or 'ignore' instructions to prevent the agent from obeying commands found within the fetched webpage content.\n
- Capability inventory: The skill possesses 'Read/Write' tools and generates output that influences the user session.\n
- Sanitization: No sanitization or validation of the fetched HTML/Markdown content is performed before LLM processing.\n- [Data Exposure & Exfiltration] (LOW): The skill performs automated file system writes based on processed data.\n
- Evidence: Section '数据存储' specifies writing to
~/.claude/cache/geo-content-optimizer/.\n - Context: Writing untrusted, unsanitized data from external web sources to the local filesystem is a security risk, even in a cache directory.
Recommendations
- AI detected serious security threats
Audit Metadata