handover
Audited by Snyk on May 22, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to extract an auth cookie (auth_token) from browser storage and write/read it into .claude-plugin/project-config.json (and use it for sub-skills), which requires the agent to handle secrets and could cause those secret values to be exposed in tool outputs or messages.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The skill contains deliberate orchestration to harvest and persist an authentication token via automated Playwright login (extracting an auth_token cookie and saving it to a local .claude-plugin config), instructs deleting the browser storage file and stale config (trace removal), and then grants/uses that token with parallel foreground agents that have full tool permissions (Bash, Read, Write, etc.), creating a clear avenue for credential theft, unauthorized API access, and data exfiltration by sub-skills or malicious agents.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill fetches and parses remote data and authentication artifacts from the public admin.hlx.page service (see Step 1.6.2 curl to "https://admin.hlx.page/config/${ORG}/sites.json" and Step 1.6.2/1.6.3 Playwright login to "https://admin.hlx.page/login/${ORG}/${SITE}/main" with extraction of the auth_token from .claude-plugin/auth-storage.json), so it ingests untrusted third-party content and uses those values (site name and auth token) to drive subsequent actions and tool calls.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill runs npm/npx install/execute at runtime (e.g., "npm install -g playwright" / "npx playwright"), which will fetch and execute remote code from the npm registry (e.g., https://registry.npmjs.org/playwright), and it also performs runtime HTTP calls to https://admin.hlx.page/config/${ORG}/sites.json and opens https://admin.hlx.page/login/${ORG}/${SITE}/main — the npm fetch/execute step constitutes a clear runtime external dependency that can execute remote code.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (5)
Insecure credential handling detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).