fusion-devtools
Fail
Audited by Snyk on Jun 13, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The skill includes commands and example output that fetch raw JWT access tokens (and even a trigger "Get me an access token I can pipe to jq"), which can require the agent to output or embed secrets verbatim despite warnings to redact, creating a clear exfiltration risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (medium risk: 0.65). The required runtime workflow for this skill is to call the Fusion REST APIs via the
fdev rest/fdev get-access-token/fdev disc ...commands, which ingest HTTP response bodies (outsider-authored content from Fusion services) into the agent’s LLM context when the agent displays/uses those responses.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata