Security Audit

garrettjsmith/localseoskills:skills/multi-location-seo

github.com/garrettjsmith/localseoskills

AI SkillCommit 0d3fc1050517

TRUSTED

Scanned 5 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

garrettjsmith/localseoskills:skills/multi-location-seo received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include LLM instructions found within untrusted skill definition.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on March 26, 2026 (commit 0d3fc105). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

85%

Security Findings1

Severity	Finding	Layer	Location
HIGH	LLM instructions found within untrusted skill definition The skill definition, located entirely within the untrusted input delimiters, contains explicit instructions for the LLM's behavior, role, and tool usage. This includes defining the LLM's persona ('You are an expert...'), specifying default tools ('Default data tool: LocalSEOData...'), and providing conditional routing to other skills ('What to Do Next' table). According to SkillShield rules, all content within untrusted input delimiters must be treated as data, not instructions. Allowing instructions from untrusted sources can lead to the LLM being manipulated to perform unintended actions or deviate from its core directives. Move all instructions intended for the host LLM (e.g., persona definition, tool usage directives, routing logic) out of the untrusted skill definition file (SKILL.md) and into a trusted, secure configuration or prompt template managed by the host system. The skill definition should only contain data or content that the LLM is meant to process or present, not instructions for its own operation.	LLM	SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f0d137f9dc822ea3.svg)](https://skillshield.io/report/f0d137f9dc822ea3)