huawei-cloud-sac-yolo
Warn
Audited by Snyk on Jun 17, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). Outsider free text is fetched at runtime from the public Huawei Cloud solution detail page URL passed to
extract_sac_deploy_info.py(via Playwrightpage.evaluatereadingdocument.body.innerText), and the extractedtitle/estimated_price_text/deploy_linksare then printed and written into the agent-visible JSON context.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill runtime uses external web pages and Terraform template URLs (e.g. the SAC detail page https://www.huaweicloud.com/solution/implementations/quickly-build-a-yolo-training-platform.html and the template file https://documentation-samples.obs.cn-north-4.myhuaweicloud.com/solution-as-code-publicbucket/solution-as-code-moudle/quickly-build-a-yolo-training-platform/quickly-build-a-yolo-training-platform.tf) which the scripts download at runtime and which supply Terraform code that can be executed via terraform apply, so the fetched content directly controls executed infrastructure code and is a required dependency.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata