Back to skill

Security audit

Keyword Rank Monitor

Security checks across malware telemetry and agentic risk

Overview

This SEO keyword-monitoring skill is coherent and has no executable code or hidden credential access, though users should understand its dependency installs and how monitoring data may be retained.

Before installing, confirm how monitored keywords, competitor terms, ranking history, alerts, and any paid/API features are stored or transmitted. Avoid entering sensitive product strategy terms unless you are comfortable with that monitoring data being retained for reports and alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill exposes multiple natural-language trigger examples such as adding monitoring, viewing history, finding long-tail keywords, competitor analysis, and setting alerts, but it does not define clear activation boundaries, required inputs, or disambiguation rules. In an agent environment, this can cause over-broad invocation on loosely related SEO, ecommerce, or analytics queries, leading to unintended data access, noisy automation, or execution in contexts the user did not explicitly request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.