nopoint-bring-your-deck

Warn

Audited by Snyk on May 11, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's Phase 3 "wire data" instructions explicitly require integrating external third-party services (Chartcastr at https://chartcastr.com/admin/... and custom API routes that fetch from external APIs like Stripe or arbitrary URLs/S3) and render their live data and AI-generated commentary directly into slides, meaning the agent will fetch and interpret untrusted third-party content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill's bootstrap step explicitly runs remote code by cloning and starting the upstream repository (git clone https://github.com/mewc/nopoint.git followed by bun install / bun dev), which fetches and executes external code required for the workflow, creating a real runtime execution risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly instructs wiring payment/financial APIs: it names Stripe and shows a concrete example server route that calls Stripe's API (using STRIPE_KEY) to compute MRR, and it also documents using Chartcastr embeds (with CHARTCASTR_API_KEY) that can connect to Stripe/GA/CRMs. These are specific, non-generic integrations with payment/financial data providers rather than a generic HTTP or browser tool, so it meets the "Payment Gateways (Stripe...)" criterion.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 09:15 PM
Issues
3