skills/borski/travel-hacking-toolkit/transfer-bonuses/Snyk

transfer-bonuses

Warn

Audited by Snyk on Jun 14, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.85). The runtime path reads data/transfer-bonuses.json (refreshed by scraping Frequent Miler and cross-checking AwardWallet), and that JSON includes active_bonuses[].notes/sources/fields derived from outsider-authored web pages, which become LLM-readable text when the skill renders the “active bonuses” table.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The refresh script (python3 scripts/refresh-transfer-bonuses.py) scrapes external pages at runtime—notably Frequent Miler (https://frequentmiler.com/current-point-transfer-bonuses) and AwardWallet (https://awardwallet.com)—and uses that fetched HTML to populate data/transfer-bonuses.json which directly determines the skill's outputs.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Jun 14, 2026, 12:10 PM

Issues

2

Security Audit — snyk — transfer-bonuses