qa-email-sms-otp

Fail

Audited by Snyk on Jul 3, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). Most entries are localhost/127.0.0.1 test endpoints (benign for local Mailpit/SMS gateway use), but the GitHub releases URL points to a third‑party APK (direct executable distribution) which is potentially risky unless you verify the repository, publisher, release artifacts, and checksums/signatures.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). The required runtime workflow polls Mailpit/SMS Gateway over HTTP and ingests the fetched message/SMS body text (e.g., wait-for-email-otp.sh reads /api/v1/message/<ID> JSON fields and wait-for-sms-otp.sh reads /inbox JSON fields), which is outsider-authored free text originating from external systems/users rather than the operating user.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 3, 2026, 01:15 AM
Issues
2
Security Audit — snyk — qa-email-sms-otp