ai-director

Fail

Audited by Snyk on Jun 23, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes examples and commands that require embedding API keys or verification codes verbatim (e.g., bind --key "x2c_sk_xxx", credentials/{USER_ID}.json with "x2cApiKey"), so an agent would need to read and output secret values directly, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). The codebase contains high-risk patterns: a hard-coded, non-obvious external API endpoint receiving user API keys and account actions, plus logic that writes unified account data and attempts to run a sync script (child_process.execSync), which together create a plausible credential-exfiltration/backdoor vector and remote-code-execution opportunity.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 23, 2026, 06:06 AM
Issues
3
Security Audit — snyk — ai-director