yc-apply

Fail

Audited by Snyk on Jun 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to ingest founder-provided workspace fields (including an explicit "login credentials" low-stakes field) and to produce paste-ready outputs (08_final/SUBMIT.md and drafts) which will reproduce those fields verbatim, so the LLM would need to read and emit secret credentials directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). The required runtime workflow for Phase 3 (“external-research”) dispatches subagents that use WebSearch/WebFetch to fetch public web pages and scrape their contents into the generated research slice markdown files (e.g., 04_research/02_competitive-landscape.md), which then become LLM-readable context for later phases.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 13, 2026, 06:17 PM
Issues
2
Security Audit — snyk — yc-apply