handover

Fail

Audited by Snyk on May 22, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to extract an auth cookie (auth_token) from browser storage and write/read it into .claude-plugin/project-config.json (and use it for sub-skills), which requires the agent to handle secrets and could cause those secret values to be exposed in tool outputs or messages.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The skill contains deliberate orchestration to harvest and persist an authentication token via automated Playwright login (extracting an auth_token cookie and saving it to a local .claude-plugin config), instructs deleting the browser storage file and stale config (trace removal), and then grants/uses that token with parallel foreground agents that have full tool permissions (Bash, Read, Write, etc.), creating a clear avenue for credential theft, unauthorized API access, and data exfiltration by sub-skills or malicious agents.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). This skill fetches and parses remote data and authentication artifacts from the public admin.hlx.page service (see Step 1.6.2 curl to "https://admin.hlx.page/config/${ORG}/sites.json" and Step 1.6.2/1.6.3 Playwright login to "https://admin.hlx.page/login/${ORG}/${SITE}/main" with extraction of the auth_token from .claude-plugin/auth-storage.json), so it ingests untrusted third-party content and uses those values (site name and auth token) to drive subsequent actions and tool calls.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).


MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

  • Hidden Unicode characters detected (1 type(s) found)

Issues (5)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W021
MEDIUM

Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 22, 2026, 03:19 PM
Issues
5
Security Audit — snyk — handover