aliyun-fc-serverless-devs

Fail

Audited by Snyk on May 19, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt contains explicit examples that place AccessKeyID/AccessKeySecret directly into command-line arguments and JSON exports (e.g., --AccessKeySecret , export default_serverless_devs_key with "AccessKeySecret":""), which would require the LLM or user to supply secret values verbatim into outputs/commands, creating exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill runs remote code at runtime via npx/npm (e.g., "npx -y @serverless-devs/s" which fetches/executes the @serverless-devs/s package from the npm registry at https://registry.npmjs.org/@serverless-devs/s), and that external content is a required dependency for the workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.70). This skill prompt includes multiple explicit sudo commands (global npm install, config, init, deploy) that instruct running privileged operations which modify system state, so it pushes the agent toward performing elevated, potentially compromising actions (even though non-sudo alternatives are mentioned).

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
HIGH
Analyzed
May 19, 2026, 04:22 AM
Issues
3
Security Audit — snyk — aliyun-fc-serverless-devs