photon-cli
Fail
Audited by Snyk on Jun 22, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The prompt directs the agent to run commands that emit a project API secret (shown as "spk_live_…") and explicitly instructs the agent to read/store the JSON output, which requires the LLM to handle (and may output) secret values verbatim.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is a CLI that explicitly includes billing-related commands and actions that can spend money (examples:
billing checkout,projects upgrade) and guidance about confirming before performing any action that "spends money." Those are explicit financial execution capabilities (checkout/upgrade operations that will charge payment). This is not merely a generic API caller or browser automation — it contains explicit commands to perform billing/checkout and upgrade projects.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata