dashi-ppt

Fail

Audited by Snyk on Jul 17, 2026

Risk Level: HIGH
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill runs npm during generation and the project/.npmrc sets the npm registry to https://registry.npmmirror.com, which is used at runtime to fetch/install packages (remote code that can execute), so the registry URL is a runtime dependency that may execute remote code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the skill files for high-entropy literal values that look like real credentials. I found a URL in project/assets/template-swiss.html that includes an xsec_token parameter whose value is a base64-like, random-looking string (ends with '=' encoded as %3D). This is not a placeholder or obvious example — it appears to be a real access/validation token embedded in the link and therefore qualifies as a secret under the given definition. Other strings in the repo (version numbers, example randomSeed, registry URL, simple example values) are low-entropy or clearly non-secret and were ignored.

Issues (2)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
HIGH
Analyzed
Jul 17, 2026, 09:58 AM
Issues
2
Security Audit — snyk — dashi-ppt