qa-email-sms-otp
Fail
Audited by Snyk on Jul 3, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Most entries are localhost/127.0.0.1 test endpoints (benign for local Mailpit/SMS gateway use), but the GitHub releases URL points to a third‑party APK (direct executable distribution) which is potentially risky unless you verify the repository, publisher, release artifacts, and checksums/signatures.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The required runtime workflow polls Mailpit/SMS Gateway over HTTP and ingests the fetched message/SMS body text (e.g.,
wait-for-email-otp.shreads/api/v1/message/<ID>JSON fields andwait-for-sms-otp.shreads/inboxJSON fields), which is outsider-authored free text originating from external systems/users rather than the operating user.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata