spree-checkout
Warn
Audited by Snyk on Jun 29, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The required workflow’s runtime steps are “fetch live docs” from public URLs (e.g.,
https://spreecommerce.org/docs/...and GitHub source) and ingest their readable page text into the agent’s LLM context, which is outsider-authored free text from the public web.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs the agent to fetch live documentation (e.g. https://spreecommerce.org/docs/developer/core-concepts/orders) and the live Spree::Order GitHub source at runtime to determine state machine behavior, so external content would directly control the agent's instructions.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly about e-commerce checkout and payment flows. It documents creating PaymentSessions (POST /api/v3/store/checkout/payment_sessions), the provider handshake (Stripe/Adyen/PayPal), capturing a session into a Payment on completion (POST /api/v3/store/checkout/complete), and refund/reimbursement flows (Reimbursement.perform! creates Refunds or StoreCredits). It also advises idempotency to prevent double-charging and warns about marking payments completed manually. These are concrete, payment-specific operations (creating charges, capturing payments, and issuing refunds), not generic tooling, so it grants direct financial execution capability.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata