photon-cli

Fail

Audited by Snyk on Jun 22, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt directs the agent to run commands that emit a project API secret (shown as "spk_live_…") and explicitly instructs the agent to read/store the JSON output, which requires the LLM to handle (and may output) secret values verbatim.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is a CLI that explicitly includes billing-related commands and actions that can spend money (examples: billing checkout, projects upgrade) and guidance about confirming before performing any action that "spends money." Those are explicit financial execution capabilities (checkout/upgrade operations that will charge payment). This is not merely a generic API caller or browser automation — it contains explicit commands to perform billing/checkout and upgrade projects.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 22, 2026, 08:35 AM
Issues
2
Security Audit — snyk — photon-cli