raycast-extensions

Fail

Audited by Snyk on Jun 30, 2026

Risk Level: HIGH
Full Analysis

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the skill content for high-entropy literal values that look like real credentials. I found one clear match in the test fixture file:
  • File: evals/fixtures/dictionary-flawed/src/search.tsx
  • const API_KEY = "dict_live_sk_8f3a9b2c1d4e5f6a7b8c9d0e";

This is a high-entropy, API-key–looking string (prefix "dict_live_sk_" and a long random suffix). Even though the file comment says it was a deliberately planted/fake secret and includes a gitleaks allow, it is still a literal, credential-shaped token in source and therefore should be treated as a secret per the rules.

No other high-entropy secrets were present. I ignored placeholders, doc templates, and simple example strings elsewhere (e.g., placeholders like {PR_MERGE_DATE}, preference examples, or plain words) because they are non-secret documentation values per the ignore rules.

Issues (1)

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 30, 2026, 04:39 PM
Issues
1
Security Audit — snyk — raycast-extensions