iblai-vibe-monetization-analytics

Warn

Audited by Snyk on Jul 7, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). The required runtime workflow fetches live JSON from the platform’s analytics endpoints (e.g., paywalls/subscribers/revenue) and injects the returned fields (including free-text like item_name, username, email, and metadata) into the agent’s LLM context via the UI/data-layer responses, which are outsider-authored data from other users/records rather than the operating user’s own prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly integrates with Stripe (Stripe Connect status, webhook handlers, destination charges) and exposes a concrete subscription-cancel mutation/component (useCancelSubscriptionMutation / CancelSubscription) that performs billing actions (canceling subscriptions and opening the Stripe portal). Because it references specific payment-gateway APIs and mutation endpoints (not just generic HTTP or browser automation), this qualifies as direct financial execution capability.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 7, 2026, 01:02 PM
Issues
2
Security Audit — snyk — iblai-vibe-monetization-analytics