pagr
Audited by Snyk on May 20, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt embeds an actual API key verbatim in the MCP server URL and instructs clients to use that endpoint, which forces the agent to include a secret string in outputs/configuration, creating direct exfiltration risk.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). High risk: the skill embeds a seemingly valid long-lived API key inside a remote MCP SSE endpoint (https://mcp.getpagr.co/mcp?PAGR_API_KEY=...), effectively granting any MCP-compatible client that endpoint the ability to call upload/list/delete tools and publish arbitrary local HTML (a clear credential-exposure/backdoor and potential data-exfiltration vector); there is no obfuscated or RCE code, but the exposed secret and server configuration enable remote misuse and unauthorized publishing of user data.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The SKILL.md "Remote MCP Server (SSE)" section exposes a public MCP endpoint (https://mcp.getpagr.co/mcp?PAGR_API_KEY=...) that allows arbitrary MCP-compatible clients to push user-generated HTML/files which the agent is expected to ingest and act on (e.g., via upload_file), creating a path for untrusted third-party content to influence agent actions.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned for literal, high-entropy values that look like real API keys. The document contains one explicit, full-looking API key embedded in the MCP server URL:
https://mcp.getpagr.co/mcp?PAGR_API_KEY=pagr_tW2NdRvtqZq2CIb0oJ137rfh75ystZoeoOQiSd7aMDc
This value:
- Is a literal value (not a placeholder).
- Starts with the API prefix
pagr_and continues with a long, random-looking string (high entropy). - Is presented as a query parameter to an SSE endpoint, which would allow access if valid.
Other occurrences of pagr_... or pagr_ in examples (e.g., pagr_..., PAGR_API_KEY: ${{ secrets.PAGR_API_KEY }}) are placeholders or example usage and were ignored per the rules.
Issues (4)
Insecure credential handling detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Secret detected in skill content (API keys, tokens, passwords).