iblai-vibe-monetization-analytics
Warn
Audited by Snyk on Jul 7, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). The required runtime workflow fetches live JSON from the platform’s analytics endpoints (e.g., paywalls/subscribers/revenue) and injects the returned fields (including free-text like
item_name,username,email, andmetadata) into the agent’s LLM context via the UI/data-layer responses, which are outsider-authored data from other users/records rather than the operating user’s own prompts.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly integrates with Stripe (Stripe Connect status, webhook handlers, destination charges) and exposes a concrete subscription-cancel mutation/component (useCancelSubscriptionMutation / CancelSubscription) that performs billing actions (canceling subscriptions and opening the Stripe portal). Because it references specific payment-gateway APIs and mutation endpoints (not just generic HTTP or browser automation), this qualifies as direct financial execution capability.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata