verified-email

Warn

Audited by Snyk on May 18, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill explicitly includes a "WebView support" section (references/android/identity/sign-in/credential-manager-webview.md and the SKILL.md "WebView support" paragraph) with sample code that loads an external URL via webView.loadUrl(url) and JS-bridge integration, and it also ingests DigitalCredential.credentialJson responses from external wallets/providers which the app parses and uses to drive account-creation and UI flows—together these show the agent will consume untrusted third-party web/wallet content that can materially influence actions.

Issues (1)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 02:50 AM
Issues
1
Security Audit — snyk — verified-email