aicoin-market

Fail

Audited by Snyk on May 18, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.80). The skill includes an explicit CLI/example for updating API keys (node scripts/coin.mjs update_key '{"key_id":"xxx","secret":"xxx"}') which encourages embedding secrets verbatim in commands the agent must generate or execute, so the LLM could be forced to handle/output secret values even though other parts warn against printing env; this creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). This skill explicitly runs scripts that ingest public/untrusted third-party content—e.g., scripts/twitter.mjs (Twitter/X tweets), scripts/news.mjs and scripts/newsflash.mjs (RSS/newsflash), scripts/airdrop.mjs and scripts/drop_radar.mjs (public project/airdrop data)—and SKILL.md requires using those script outputs as part of its workflow, so user-generated/open-web content can influence the agent's decisions and responses.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
May 18, 2026, 01:40 AM
Issues
2
Security Audit — snyk — aicoin-market