PLS SEO Audit

Security checks across malware telemetry and agentic risk

Overview

This is a normal SEO audit reference skill with expected web and Google API examples, though users should handle URLs and credentials carefully.

Install is reasonable if you want SEO audit guidance. Before running commands, confirm you are authorized to test the target URLs, do not send private or staging URLs to Google APIs without approval, keep API keys and bearer tokens out of chats and source files, and use trusted or pinned packages when running Lighthouse with npx.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes a command that sends a user-supplied target URL to Google's Mobile-Friendly Test API, but it does not disclose that the URL will be transmitted to a third party. In a security review context, undisclosed external transmission is a real privacy and operational risk, especially for internal, preproduction, or otherwise sensitive URLs.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This Rich Results Test example transmits a target URL to Google's Search Console endpoint and uses an authorization token, yet the skill gives no warning about credential handling or third-party disclosure. That combination creates a genuine risk of leaking sensitive URLs and encouraging unsafe token usage in copied commands.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal