typescript-project

Fail

Audited by Snyk on Jun 19, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit API-key-like literal ("sk-1234") and shows embedding an apiKey directly in code (apiKey: process.env... || 'sk-1234'), which is an insecure pattern that requires the LLM/skill to handle or emit secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill’s runtime LLM context is built from the caller-provided prompt/messages arguments passed into templates/project/src/adapters/llm.adapter.ts (complete()/chat()), which can contain outsider-authored free text (e.g., user input) and is then sent to the LLM via client.chat.completions.create({ messages }).

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 03:59 PM
Issues
2
Security Audit — snyk — typescript-project