sqlite-database
Fail
Audited by Snyk on Apr 16, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The skill tells the agent that system-provided $AUTH_TOKEN/$API_URL must be used as a Bearer token and shows examples embedding an auth token/DB_TOKEN in curl and code, which can force the LLM to include secret values verbatim in generated requests or snippets.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill calls the runtime endpoint "$API_URL/api/data/turso/provision" to provision the database and the JSON response explicitly includes an "instructions" field that the skill tells the agent to "always read and follow," so remote content fetched at runtime can directly control agent behavior and is required for the skill to function.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata