AI SEO 内容优化

Security checks across malware telemetry and agentic risk

Overview

This SEO skill is coherent, but it tells users to send page content and payment proof to a plain-HTTP IP address without enough privacy or transport-security disclosure.

Review before installing or using. Only submit content you are comfortable sending to an external service, avoid unpublished or confidential material, and do not send payment proof over the documented plain-HTTP endpoint unless the publisher provides an HTTPS endpoint and clear data-handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documents transmitting both user content and payment credentials to a remote endpoint over plain HTTP, which exposes sensitive data to interception or tampering by any on-path attacker. The lack of any user-facing disclosure or warning further increases risk because users may unknowingly send proprietary page content or payment artifacts to an insecure third-party service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example request encourages users to upload arbitrary page content to an external service but does not warn that the content leaves the local environment for remote analysis. This can lead to accidental disclosure of confidential, unpublished, regulated, or customer-owned material because users are not prompted to assess sensitivity before submission.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal