✓
Purpose & Capability
Name/description (SEO guide) match the included assets: many SEO reference documents and two utility scripts to generate a localized PDF report. No unrelated credentials, binaries, or install steps are requested in the registry metadata.
ℹ
Instruction Scope
SKILL.md is an instruction-only workflow that references the local reference files and the PDF generator. The README explicitly instructs installing reportlab only when the user asks to generate PDFs. However, the SKILL.md content triggered a pre-scan flag for unicode-control-chars (possible prompt-injection attempt). Also the included Python modules read some environment variables (WINDIR, LOCALAPPDATA) to search for system fonts — this is understandable for font discovery but is not declared in requires.env.
✓
Install Mechanism
No automated install spec in the registry (instruction-only). The README asks the user to pip install reportlab manually; no remote downloads, URL extracts, or third-party installers are provided by the skill itself. This is low-risk from an install-mechanism perspective.
ℹ
Credentials
The registry declares no required env vars or credentials (good). The code does read WINDIR and LOCALAPPDATA to locate Windows fonts and checks filesystem paths for system fonts — a reasonable, limited read for font registration. No network calls, API keys, or secrets are requested or used in the scripts.
✓
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request permanent presence, nor does it modify other skills or global agent configuration. Its only file writes are user-directed (PDF report output path).
Scan Findings in Context
[unicode-control-chars] unexpected: The static pre-scan detected unicode control characters in SKILL.md. These characters are often used in prompt-injection attempts (to hide or reorder text) and are not expected for a documentation-style SEO guide. This finding does not by itself prove maliciousness, but it merits manual inspection of SKILL.md for hidden/invisible characters or injected instructions.
What to consider before installing
What to consider before installing:
- Review SKILL.md in a plain-text/hex viewer to look for invisible unicode control characters (e.g., U+202A..U+202E, U+200B, etc.). The pre-scan flagged such characters; if present they can be used to conceal instructions or manipulate prompts. Remove them or ask the publisher to provide a sanitized copy.
- The package appears to do what it says: lots of reference docs and a local PDF generator. The Python scripts are self-contained, do not make network calls, and only read system font paths and environment variables needed to find fonts. That behavior is reasonable for PDF generation, but note it does read WINDIR/LOCALAPPDATA when run on Windows.
- If you plan to use the PDF report generator, install reportlab in a controlled environment (venv) as the README suggests and run the script locally, inspecting its output and any filesystem operations. The script writes only the user-chosen PDF output path.
- Confirm licensing/copyright expectations for included reference materials if that matters for your use case (the repo contains large excerpts of third-party docs).
- If you are not comfortable with the flagged unicode-control-chars or you cannot verify the author, avoid installing or enable the skill only in a sandboxed agent environment. Ask the publisher for a signed/verified source or a sanitized SKILL.md before use.
Overall: functionally coherent with one notable red flag (unicode control chars). Manual review of SKILL.md (and optionally running the scripts in a local sandbox) will resolve the remaining uncertainty.
