Back to skill

Security audit

Distribb SEO Agent Skill: Backlinks Exchange, Writer, Keyword Research

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it gives an agent enough authority to create, schedule, update, and publish public business content without strong approval gates.

Install only if you want an agent to work with your Distribb account. Require the agent to show the final article, backlink targets, project, CMS destination, status, and schedule, then get explicit approval before any create, update, Planned scheduling, or publish call. Treat the API key and submitted drafts as sensitive business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents endpoints that can create, update, and publish articles to external CMS-connected systems, but it does not clearly warn that these actions modify live external content. In an agent context, omission of a confirmation/safety notice increases the chance of unintended publication or destructive edits, especially because the skill is explicitly designed for automation.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README instructs users to export an API key and immediately use it in authenticated requests, but it does not include guidance on secure credential handling, least privilege, or avoiding accidental disclosure in logs, shell history, or shared environments. This is a real but low-severity issue because the document normalizes sensitive credential use without basic operational security context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to publish content to a connected CMS or schedule auto-publishing, but it does not require an explicit user confirmation or default-to-draft safeguard before taking an externally visible action. Because publishing changes the user's live website and can also trigger downstream social-media repurposing, this creates a real risk of unauthorized or premature content publication.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.