IndexNow Setup

Security checks across malware telemetry and agentic risk

Overview

This skill sets up an IndexNow submission script that sends a website's sitemap URLs to the official IndexNow endpoint, which matches its stated purpose.

Install only for websites you control. Before running it, confirm the SITE_URL and IndexNow key are correct, make sure the key file is intentionally public, and review the sitemap so staging, admin, private, or unintended URLs are not submitted to search engines.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill instructs the agent to submit site URLs to external search-engine infrastructure but does not explicitly warn the user that URLs from the site's sitemap will be transmitted off-platform. In an agent setting, this can lead to unanticipated disclosure of internal, staging, or otherwise sensitive URLs if the sitemap is misconfigured or the user did not intend outbound sharing.

External Transmission

Medium

Category: Data Exfiltration
Content: The script: 1. Fetches `sitemap.xml` from the site 2. Extracts all `<loc>` URLs 3. POSTs them to `https://api.indexnow.org/IndexNow` For non-Node projects, invoke the script directly:
Confidence: 90% confidence
Finding: https://api.indexnow.org/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal