Skills
skills/prava-payments/prava-skills/prava-agent-payments/Snyk

prava-agent-payments

Warn

Audited by Snyk on May 9, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly requires the agent to perform browser automation to complete checkout on merchant websites (see "IMMEDIATELY use the returned credentials to complete checkout at the merchant's site via browser automation" in SKILL.md and references/cli-sessions.md), meaning the agent will fetch and interpret arbitrary public merchant pages (untrusted third-party content) which could include instructions that influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs running "npx skills update prava-agent-payments -g", which fetches and executes a remote npm package at runtime to update the skill instructions — a required external fetch that can directly change the agent's prompts/instructions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to collect and use payment credentials for agent-initiated purchases. It defines a Prava payment flow (installing the Prava CLI, linking the agent to the user's account), provides concrete commands to create payment sessions (prava sessions create) and poll for tokenized card credentials (prava sessions poll), and outputs single-use Visa network tokens and dynamic CVVs which the agent is instructed to use to complete merchant checkouts. This is a specific payment integration that enables the agent to execute purchases on the user's behalf (i.e., move money), not a generic tool. Therefore it grants direct financial execution capability.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs running global npm installs and even tells the agent to use sudo if permissions fail (and to run global updates), which pushes the agent to obtain elevated privileges and modify system-wide state without user interaction, so it should be flagged.

Issues (4)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 9, 2026, 11:35 PM
Issues
4
Security Audit — snyk — prava-agent-payments