dashiai-ppt
Fail
Audited by Snyk on Jul 13, 2026
Risk Level: HIGH
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The skill sets the npm registry to https://registry.npmmirror.com (project/.npmrc) and SKILL.md explains the generator will install project dependencies at runtime (npm in /project), so remote packages from that registry will be fetched and executed as required runtime code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I looked for literal, high-entropy values (real API keys, tokens, private keys) and ignored placeholders or obvious example strings. The only suspicious value is an xsec_token embedded in a profile URL: it is a long, random-looking query parameter (not a placeholder) and may be a session/authorization token passed to the Xiaohongshu link. That fits the definition of a high-entropy secret (literal value that can grant access), so I flag it. No RSA/PEM blocks, sk-... keys, or other obvious credentials were found.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata