turso

Fail

Audited by Snyk on May 19, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes examples that place encryption keys and auth tokens directly into command-line arguments or code (e.g., hexkey=YOUR_KEY and authToken: "..."), which instructs embedding secrets verbatim and thus requires the LLM to handle/output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's workflow instructs connecting to and syncing with remote Turso Cloud databases (e.g., references/sync.md: connect with url "libsql://..." and call await db.pull()/db.exec, and references/agents.md: shared DB URLs like "https://shared-tasks.turso.io"), which causes the agent to fetch and interpret potentially untrusted third-party/user-generated database content that can influence subsequent actions.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
May 19, 2026, 06:37 AM
Issues
2
Security Audit — snyk — turso