skills/pachca/openapi/pachca-profile/Snyk

pachca-profile

Fail

Audited by Snyk on Apr 8, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to ask the user for a Pachca token and to run CLI commands using the --token flag or by exporting the token, which requires the agent to receive and embed the secret value verbatim in commands — an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill instructs running npx/npm to fetch and execute the @pachca/cli package at runtime (e.g. https://registry.npmjs.org/@pachca/cli or https://www.npmjs.com/package/@pachca/cli), which downloads remote code that will be executed and is presented as a required dependency.

Issues (2)

W007

HIGH

Insecure credential handling detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

HIGH

Analyzed

Apr 8, 2026, 01:56 AM

Issues

2