docyrus-webform-design

Fail

Audited by Snyk on Jun 23, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The workflow requires capturing and then embedding the webform's public webhook URL/token (form_submit_url / form_url / embed_code) verbatim into curl commands or responses, which are credential-bearing values and would expose secrets through the LLM output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). Outsider free text can enter the LLM context via the public webform submission path: a non-authenticated user POSTs arbitrary data values to form_submit_url (POST /v1/webforms/{id}/{token}), which are then queued and passed as input to the automation webform trigger (and any downstream nodes/LLM steps), so the runtime LLM context may include that outsider-authored text.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill's embed_code includes a remote script that will be fetched at runtime and execute code to render the public form — https://static.docyrus.app/webform/w.js is a required external runtime dependency that controls the form UI.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 23, 2026, 10:29 PM
Issues
3
Security Audit — snyk — docyrus-webform-design