evm-chains
Fail
Audited by Snyk on May 20, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs substituting the ROUTEMESH_API_KEY environment variable into a URL (https://lb.routeme.sh/rpc/CHAIN_ID/ROUTEMESH_API_KEY), which requires the agent to include the secret value verbatim in generated output/requests and thus creates an exfiltration risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). SKILL.md explicitly tells the agent to "use the web search tool to find authoritative metadata from the chain's official documentation or Chainlist" when a chain is missing, which requires fetching and interpreting content from public third‑party websites that could influence RPC/interaction decisions.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata