SEO Audit Report

Security checks across malware telemetry and agentic risk

Overview

This is a normal SEO audit helper that makes live web requests and can save a report, with no evidence of hidden or destructive behavior.

Install if you want a local SEO audit tool and are comfortable with it contacting the target website. Use it only on domains you own or are authorized to assess, avoid localhost or private-network URLs unless intentional, keep crawl depth and max pages modest, and use a new report filename to avoid overwriting existing files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The description uses broad triggers like 'audit a website's SEO,' 'check technical SEO issues,' and 'generate an SEO improvement plan,' which could match many common user requests and cause the skill to activate more often than intended. In a skill with network crawling capability, overbroad activation increases the chance of unanticipated external requests against arbitrary domains.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The documentation explains audit commands but does not clearly warn that execution may crawl multiple pages and optionally write a report file. Missing operational disclosure can mislead users about side effects, especially when `--depth` expands network activity beyond a single page and `--output` persists data locally.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill performs live outbound HTTP requests to a user-supplied target and then crawls additional internal links automatically, but it provides no explicit warning, confirmation, or scope guard before doing so. In an agent setting, this can cause unintended network interaction with third-party or sensitive internal hosts, especially if the supplied URL points to internal infrastructure or redirects the crawler into a broader-than-expected scan.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The script writes the generated report directly to a user-specified path using Path(args.output).write_text(report) without checking whether the file already exists or warning before overwrite. In an automated agent workflow, this can unintentionally clobber existing local files if the output path is derived from user input or passed through by another component.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal