deploying-honeytokens-and-canarytokens
Warn
Audited by Snyk on Jun 27, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The workflow explicitly instructs fetching and executing remote code via "git clone https://github.com/thinkst/canarytokens-docker" followed by "docker compose up -d" (which runs the fetched containers), and the agent also performs runtime API calls to https://canarytokens.org for token generation; the GitHub clone + docker compose is a high-confidence execution-of-remote-code dependency.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs creating an Active Directory account (New-ADUser) and planting decoy credentials in system locations (e.g., ~/.aws/credentials, /etc/hosts) and deploying network services on privileged ports via Docker—actions that modify host/authentication state and create new user accounts.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata