building-nango-functions-remotely
Fail
Audited by Snyk on May 28, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The prompt requires resolving and using NANGO_SECRET_KEY and instructs sending an Authorization: Bearer <NANGO_SECRET_KEY> header for remote API calls, which forces the agent to handle (and potentially emit) a secret value verbatim if it cannot rely on environment-only usage.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill requires at runtime posting user-provided TypeScript source to the remote-function endpoints on the resolved NANGO_SERVER_URL (fallback https://api.nango.dev) — e.g., POST {host}/remote-function/compile, /dryrun, /deploy — which compile/dryrun/deploy and thus execute code remotely, making https://api.nango.dev a runtime endpoint that executes submitted code.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata