nopoint-bring-your-deck
Warn
Audited by Snyk on May 11, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill's Phase 3 "wire data" instructions explicitly require integrating external third-party services (Chartcastr at https://chartcastr.com/admin/... and custom API routes that fetch from external APIs like Stripe or arbitrary URLs/S3) and render their live data and AI-generated commentary directly into slides, meaning the agent will fetch and interpret untrusted third-party content as part of its workflow.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's bootstrap step explicitly runs remote code by cloning and starting the upstream repository (git clone https://github.com/mewc/nopoint.git followed by bun install / bun dev), which fetches and executes external code required for the workflow, creating a real runtime execution risk.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly instructs wiring payment/financial APIs: it names Stripe and shows a concrete example server route that calls Stripe's API (using STRIPE_KEY) to compute MRR, and it also documents using Chartcastr embeds (with CHARTCASTR_API_KEY) that can connect to Stripe/GA/CRMs. These are specific, non-generic integrations with payment/financial data providers rather than a generic HTTP or browser tool, so it meets the "Payment Gateways (Stripe...)" criterion.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata