Skills
skills/abutun/claude-skill-aso-cosmicmeta-ss/aso-cosmicmeta-ss/Snyk

aso-cosmicmeta-ss

Fail

Audited by Snyk on Apr 2, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks for a Gemini API key and shows commands that accept or save the key as a CLI argument (e.g., --save-key "YOUR_KEY" and mentions --api-key), which encourages embedding secret values verbatim in generated commands or outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill's workflow (Phase 1 in SKILL.md) requires running update.py which fetches release metadata from the public GitHub API (https://api.github.com/repos/abutun/claude-skill-aso-cosmicmeta-ss/releases/latest), so the agent ingests untrusted, public third‑party content and uses it to decide/suggest running updates (including git pull), which can materially influence subsequent tool actions.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 02:48 AM
Issues
2