pp-qbo

Fail

Audited by Snyk on Jun 25, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows the auth command using --client-id and --client-secret flags (e.g., qbo-pp-cli auth login --client-id --client-secret ), which requires the agent/LLM to embed secret values verbatim into commands or outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The skill's runtime prerequisites instruct installing and running remote code (e.g., "npx -y @mvanhorn/printing-press-library install qbo" and "go install github.com/mvanhorn/printing-press-library/library/payments/qbo/cmd/qbo-pp-cli@latest"), which would fetch and execute external code that the skill requires to operate.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is a QuickBooks Online–specific CLI intended to manage accounting data. It exposes explicit create/update commands for financial resources (e.g., "payments create", "bills create", "purchases create", "invoices create", "journal-entries create", "accounts create") and reconciliation ("reconcile") as well as payment management and delivery options. It requires OAuth2 auth and supports an --agent non-interactive mode, enabling automated, non-interactive execution of those financial actions. Because these are specific, first-class financial operations (creating/updating payments, bills, invoices, purchases, journal entries), this qualifies as direct financial execution authority.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 25, 2026, 10:32 PM
Issues
3
Security Audit — snyk — pp-qbo