Skylv Seo Agent

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only SEO assistant with disclosed SEO API and crawling concepts, and no evidence of hidden execution, persistence, or credential access.

Install this only if you want an SEO workflow helper. Before using live audits or keyword metrics, confirm which SEO provider APIs are configured, use least-privilege API keys, set the correct market/language, and crawl only sites you own or have permission to audit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger definitions are broad enough to activate on ordinary discussion of SEO, keywords, rankings, or optimization, which can cause the skill to run without clear user intent. In an agent ecosystem, overbroad auto-activation can hijack unrelated conversations, increase unintended data handling, and bypass user expectations about when external SEO-oriented actions should occur.

Natural-Language Policy Violations

Medium

Confidence: 79% confidence
Finding: The skill function defaults to location='CN' and language='zh' without explicit user opt-in, which can silently steer outputs toward Chinese-market assumptions and potentially send queries using the wrong locale context. While not a direct code-execution issue, this can cause privacy, compliance, or integrity problems if user requests are analyzed against unintended regional settings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal