Back to skill

Security audit

SEO Content Engine

Security checks across malware telemetry and agentic risk

Overview

This SEO writing skill mostly does what it says, but it uses a live Chrome session and a hard-coded local API-key file in ways users should review carefully.

Install only if you are comfortable with automated Google and competitor-site browsing from your machine and sending the resulting research prompt to Gemini. Use an isolated Chrome profile or test account, provide a dedicated Gemini API key through the environment rather than a personal .env path, avoid confidential campaign/client data, and review generated articles before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes meaningful capabilities—environment access, network access, and file writing—without declaring them, which prevents users and host systems from making informed trust decisions before execution. In this context, the omission is more dangerous because the skill also relies on a hardcoded .env path, external API usage, browser automation, and output file creation, all of which increase the risk of unintended data access or side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose frames the skill as SEO content generation, but the actual behavior includes sensitive operational actions: loading secrets from a hardcoded local .env path, using a remote LLM API, attaching to an existing Chrome session, scraping external sites, and writing to arbitrary output paths. This mismatch is dangerous because users may invoke the skill expecting low-risk text generation while it actually performs credential-adjacent access, network transmission, browser session reuse, and filesystem modification.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill loads environment variables from a hard-coded absolute path outside the skill directory, creating unexpected cross-project secret access. For an SEO content generator, reaching into a specific user's workspace .env is unnecessary and can expose unrelated credentials if this code is reused or run on another machine with a sensitive file at that path.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states it will research competitors by searching Google and visiting articles, but it does not clearly warn that this occurs through the user's active Chrome session and that search terms and browsing activity may be exposed to Google, target sites, and the Gemini API. In this skill context, that is materially risky because keywords can contain confidential business strategy, client plans, or unpublished marketing intents, and reuse of an authenticated browser session can leak more metadata than users expect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The generated prompt includes browser-derived SERP snippets, URLs, and competitor page structure, then sends that material to Gemini without explicit user consent or disclosure. In an agent environment connected to a live browser, harvested page content may include sensitive or proprietary information from authenticated sessions, making this a real data-exfiltration risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.