verified-email
Warn
Audited by Snyk on May 18, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill explicitly includes a "WebView support" section (references/android/identity/sign-in/credential-manager-webview.md and the SKILL.md "WebView support" paragraph) with sample code that loads an external URL via webView.loadUrl(url) and JS-bridge integration, and it also ingests DigitalCredential.credentialJson responses from external wallets/providers which the app parses and uses to drive account-creation and UI flows—together these show the agent will consume untrusted third-party web/wallet content that can materially influence actions.
Issues (1)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata