Back to skill

Security audit

Siluzan SEO

Security checks across malware telemetry and agentic risk

Overview

This SEO skill is not clearly malicious, but its installer can make broad system-wide changes and its prompts allow fabricated customer reviews, so it should be reviewed before installation.

Install only if you are comfortable with global system changes. Prefer manual npm installation from a registry you choose, avoid the one-line curl/iex installers, review the scripts first, and use a scoped init target instead of --global --force. Also require the generated SEO output to omit testimonials unless they come from verified source material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes shell-execution behavior through installation and CLI commands but does not declare permissions or clearly scope that capability. Hidden execution capability increases the chance an agent will perform system-changing actions without appropriate consent, review, or sandboxing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is SEO JSON generation, but the file also instructs the agent to install software, run external setup scripts, modify package-management behavior, and register skills across assistant environments. This mismatch is dangerous because users and policy layers may trust the skill for harmless content generation while it actually performs privileged environment changes.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation directs the agent to perform local installation and update operations that are not necessary for generating schema output. Expanding a content skill into local environment modification increases attack surface and can lead to unintended software installation or persistence on the host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill recommends one-line remote script execution via curl/PowerShell piping directly into a shell, which allows arbitrary upstream code to run on the local machine. For a schema-generation skill, this capability is unjustified and creates significant supply-chain and remote-code-execution risk if the hosting URL, package, or transport path is compromised.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The child skill’s manifest describes generation of a full backlink article ('英文正文 + 中文总结') while the parent skill is explicitly scoped to structured SEO JSON deliverables such as output.json packages. This scope drift can cause the wrong capability to be invoked, leading to policy bypass, unexpected freeform content generation, and downstream consumers receiving unstructured data where structured JSON was expected.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The installer invokes `siluzan-seo init --global --force` and then advertises registration into many assistants' global skill directories, which is broader than what a narrowly scoped SEO JSON generation skill needs. Force-writing into multiple agent ecosystems expands persistence and trust surface without explicit user consent, so a compromised or overly broad package could affect multiple tools at once.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script installs Git for Windows from a vendor-hosted executable solely as a fallback execution path for agent clients, which is unrelated to the stated SEO JSON output purpose. Downloading and silently executing an external EXE increases supply-chain and endpoint modification risk, especially because the binary is not verified in-script with a checksum or signature check beyond normal platform behavior.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The installer changes the user's global npm registry to `https://registry.npmmirror.com`, an environment-wide configuration change unrelated to generating SEO schemas. This can redirect future package installs for unrelated projects through a third-party mirror, altering dependency trust boundaries and creating lasting supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The installer force-registers the skill into many AI assistant global skill directories, which exceeds the narrowly described SEO JSON generation purpose and expands persistence across unrelated tools. This broad cross-platform installation increases the blast radius if the package is compromised and creates stealthy filesystem changes users may not expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script changes the user's global npm registry to a mirror, which persists beyond this install and affects all future npm operations. That is an unnecessary side effect for installing an SEO content skill and could redirect later package installs through infrastructure the user did not choose.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The manifest explicitly allows the model to generate fictional customer reviews when no real review data exists, while presenting the query as sourcing real testimonials. This creates a deceptive-content path that can produce false trust signals, exposing users to legal, compliance, and reputational harm, especially in B2B marketing contexts where claims and endorsements matter.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The one-click install instructions invoke remote scripts without prominently warning that they will execute code and alter the system. Lack of disclosure undermines informed consent and makes it more likely an agent or user will run privileged commands they would otherwise scrutinize.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The prompt mandates a Chinese summary and full Chinese translation regardless of user request. This can cause unnecessary cross-language transformation and broader disclosure of source or generated content, which is risky when outputs may contain proprietary business information from the RAG knowledge base or user-provided SEO material. In this skill context, the forced translation requirement increases exposure because the tool is intended for structured content generation using enterprise knowledge-base context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation states that PDF export may download and cache fonts to the local system, but it does not clearly warn the user before execution that a network fetch and local write can occur automatically. This matters because users may assume export is a purely local conversion step; in restricted or privacy-sensitive environments, unexpected downloads can violate policy, leak environment metadata, or create compliance issues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation recommends piping remotely fetched scripts directly into a shell (`bash <(curl ...)` and PowerShell `irm ... | iex`), which executes unreviewed code from the network immediately. In this skill context, that is especially dangerous because the installer also performs global package installation and writes to assistant skill directories, increasing the blast radius if the remote content or package supply chain is compromised.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script silently persists a new global npm registry without warning or confirmation, which affects all subsequent npm activity by the user. Hidden configuration drift is dangerous because users may unknowingly pull packages from a different ecosystem mirror and have difficulty tracing later package integrity or availability issues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer force-registers the skill into multiple global AI assistant directories without asking the user to confirm the affected platforms. For a skill whose declared purpose is SEO JSON generation, this broad, persistent integration is more dangerous because it extends influence into unrelated assistants and may expose users to unexpected behavior across tools.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installer silently makes a persistent global configuration change to npm without explicit warning or confirmation. Even if not directly malicious, undisclosed system-wide changes reduce user control and can facilitate supply-chain risk by steering future installs to a non-default registry.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script downloads remote content and executes it via bash with elevated privileges and no verification or confirmation. This is dangerous because compromise of the upstream server, network path, or fetched script would immediately yield root-level code execution on the user's system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer force-registers the skill globally across multiple directories without warning the user about the filesystem changes or asking for consent. For a narrowly scoped SEO tool, silent persistence across many assistants is more dangerous because it broadens the trust boundary and makes removal harder.

Ssd 4

Medium
Confidence
97% confidence
Finding
Permitting fabricated customer reviews introduces a deceptive generation workflow that can gradually normalize false claims in published SEO pages. In a marketing-content skill, this context makes the issue more dangerous because outputs are likely to be customer-facing and used to influence purchasing decisions.

External Script Fetching

High
Category
Supply Chain
Content
brew link --overwrite node@22 2>/dev/null || true
      else
        info "Installing Node.js LTS via install-node.vercel.app..."
        curl -fsSL https://install-node.vercel.app/lts | bash -s -- --yes
      fi
      ;;
    linux)
Confidence
97% confidence
Finding
curl -fsSL https://install-node.vercel.app/lts | bash

External Script Fetching

High
Category
Supply Chain
Content
sudo yum install -y nodejs
      else
        info "Installing Node.js LTS via install-node.vercel.app..."
        curl -fsSL https://install-node.vercel.app/lts | bash -s -- --yes
      fi
      ;;
    gitbash)
Confidence
97% confidence
Finding
curl -fsSL https://install-node.vercel.app/lts | bash

Chaining Abuse

High
Category
Tool Misuse
Content
linux)
      if command -v apt-get >/dev/null 2>&1; then
        info "Installing Node.js 22.x via NodeSource (apt)..."
        curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
        sudo apt-get install -y nodejs
      elif command -v yum >/dev/null 2>&1; then
        info "Installing Node.js 22.x via NodeSource (yum)..."
Confidence
96% confidence
Finding
| sudo

Chaining Abuse

High
Category
Tool Misuse
Content
sudo apt-get install -y nodejs
      elif command -v yum >/dev/null 2>&1; then
        info "Installing Node.js 22.x via NodeSource (yum)..."
        curl -fsSL https://rpm.nodesource.com/setup_22.x | sudo -E bash -
        sudo yum install -y nodejs
      else
        info "Installing Node.js LTS via install-node.vercel.app..."
Confidence
96% confidence
Finding
| sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.