Security audit

dfseo-cli

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent DataForSEO command-line helper, but users should handle API credentials and submitted SEO targets carefully.

Install only if you trust the external dfseo package and DataForSEO account usage. Prefer environment variables or interactive setup over passing passwords on the command line, protect ~/.config/dfseo/config.toml, review any --from-file target lists before submitting them, and use --dry-run or explicit limits for large or billable jobs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (6)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly advertises --login and --password flags for a third-party API but provides no warning about secure credential handling. Supplying secrets on the command line is risky because they may be exposed via shell history, process listings, logs, transcripts, or agent/tool telemetry, which is especially relevant in an agent skill that users may invoke through automated workflows.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The bulk commands support --from-file input but do not warn that every listed target will be sent to DataForSEO, an external service. In an agent context, users may assume local files are processed only locally, so this omission can lead to unintended disclosure of internal domains, customer assets, or confidential target inventories.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly instructs users to pass DataForSEO credentials via `--login` and `--password` on the command line, which can expose secrets through shell history, process listings, terminal logs, CI job output, and shared session tooling. In an agent/terminal skill context, this is more dangerous because credentials may be captured by orchestration layers, transcripts, or debugging output beyond the local shell.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly encourages passing DataForSEO credentials via `--login` and `--password`, and elsewhere notes credentials can be persisted to `~/.config/dfseo/config.toml`, but it does not warn that CLI arguments may be exposed via shell history, process listings, logs, or transcripts. In an agent/terminal skill context, this is more dangerous because commands are likely to be copied, logged, or run in shared environments, increasing the chance of credential disclosure.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The reference documents `--login` and `--password` CLI options directly, which encourages users to place credentials on the command line. Command-line arguments are commonly exposed via shell history, process listings, logs, and debugging output, so this can leak DataForSEO credentials to other local users or monitoring systems.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The document describes commands that send user-supplied targets and optionally account credentials to the external DataForSEO service, but provides no explicit privacy or data-handling warning. Users may unknowingly submit sensitive internal URLs, staging endpoints, or credentials to a third party, increasing the risk of unintended disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.