dashi-ppt
Fail
Audited by Snyk on Jul 17, 2026
Risk Level: HIGH
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill runs npm during generation and the project/.npmrc sets the npm registry to https://registry.npmmirror.com, which is used at runtime to fetch/install packages (remote code that can execute), so the registry URL is a runtime dependency that may execute remote code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the skill files for high-entropy literal values that look like real credentials. I found a URL in project/assets/template-swiss.html that includes an xsec_token parameter whose value is a base64-like, random-looking string (ends with '=' encoded as %3D). This is not a placeholder or obvious example — it appears to be a real access/validation token embedded in the link and therefore qualifies as a secret under the given definition. Other strings in the repo (version numbers, example randomSeed, registry URL, simple example values) are low-entropy or clearly non-secret and were ignored.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata