managing-consent-for-children

Fail

Audited by Snyk on Jun 16, 2026

Risk Level: HIGH
Full Analysis

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I reviewed the entire skill content for literal credentials that could be used to access services.

Flagged item:

  • The default HMAC signing key hardcoded in scripts/process.py:
  • secret_key = "cloudvault-parental-consent-hmac-key-2026"
  • Reason: This value is embedded as the HMAC signing secret used by generate_verification_link() to create verification signatures. Even though the string is human-readable and not high-entropy, it is a real, usable secret in the code (it will allow forging/validating parental-consent tokens). Hardcoding such a signing key in repo defaults is an active security risk and should be removed/rotated and supplied from a secure secrets store or environment variable.

Ignored items (not flagged) and why:

  • token=a1b2c3d4e5f6g7h8 in assets/template.md — treated as an illustrative/example token in documentation (low entropy / example) and not a high-entropy active credential.
  • Request IDs (pcr_2026-03-14_7f3a9b), Child Account ID (usr_child_abc123), UUIDs and sample email addresses (parent@protonmail.com, privacy@cloudvault-saas.eu) — obvious examples/placeholders or non-sensitive identifiers.
  • Other configuration-like literals (base_url, verification link format) — not secrets.

Recommendation: Remove the hardcoded secret_key from source, load it from a secure environment or secrets manager, and rotate any tokens signed with the embedded key if used in production.


MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly describes credit-card micro-transactions for parental verification (a $0.50 refundable charge) and the collection/processing of card details as part of the verification workflow. Although no specific payment gateway is named, this is an explicit payment operation (charging/refunding a card) and therefore constitutes direct financial execution capability.

Issues (2)

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 16, 2026, 03:34 PM
Issues
2
Security Audit — snyk — managing-consent-for-children