speckle-impl-powerbi

Warn

Audited by Snyk on May 15, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's core workflow calls Speckle.GetByUrl and Speckle.Projects.Issues to load data from https://app.speckle.systems (model URLs, project issues and reply threads), which are untrusted/user-generated third‑party contents that the connector ingests and that the Power Query logic and visuals use to drive queries, mappings, and report behavior—thus allowing indirect injection via that external content.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt instructs modifying system-level configuration (editing HKLM registry keys to register certificate thumbprints and copying connector files into service-profile/system folders) and installing gateway components that require administrator privileges, which would change the machine state and require elevated access.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 08:35 PM
Issues
2
Security Audit — snyk — speckle-impl-powerbi