dashiai-ppt

Fail

Audited by Snyk on Jul 13, 2026

Risk Level: HIGH
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The skill sets the npm registry to https://registry.npmmirror.com (project/.npmrc) and SKILL.md explains the generator will install project dependencies at runtime (npm in /project), so remote packages from that registry will be fetched and executed as required runtime code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I looked for literal, high-entropy values (real API keys, tokens, private keys) and ignored placeholders or obvious example strings. The only suspicious value is an xsec_token embedded in a profile URL: it is a long, random-looking query parameter (not a placeholder) and may be a session/authorization token passed to the Xiaohongshu link. That fits the definition of a high-entropy secret (literal value that can grant access), so I flag it. No RSA/PEM blocks, sk-... keys, or other obvious credentials were found.

Issues (2)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
HIGH
Analyzed
Jul 13, 2026, 08:23 AM
Issues
2
Security Audit — snyk — dashiai-ppt