Yoast Seo

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Yoast SEO integration, but it gives agents broad authenticated power to change live site SEO settings without clear confirmation or scope guardrails.

Review before installing. Connect only the intended Yoast/WordPress site, verify the permissions shown during Membrane authentication, prefer named actions over raw proxy calls, and require explicit approval before any write or delete operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises multiple update actions that can change live SEO settings for posts, pages, taxonomies, and global configuration, but it does not warn that these are production-affecting operations or suggest confirmation before execution. In an agentic setting, this increases the chance of unintended modifications to public site metadata, indexing behavior, and search visibility.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The proxy-request section enables arbitrary authenticated API access, including potentially write and delete operations, yet it is presented without guardrails, confirmation requirements, or scope limitations. This can let an agent perform unintended destructive or broad changes beyond the safer prebuilt actions, especially when natural-language instructions are ambiguous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal