mira-voice-f5
Fail
Audited by Snyk on Jun 23, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt embeds a Telegram bot token directly in the curl URL and instructs sending that exact command, requiring the LLM to output/use the secret token verbatim (high exfiltration risk).
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). The skill intentionally uploads generated voice files to a fixed external Telegram bot using a hardcoded bot token and chat_id (via curl), which constitutes deliberate data exfiltration and credential exposure/backdoor behavior.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). The string "8750482121:AAEHLkNQc413zPtbFq5xVcj7Qr4D6Vcp84I" appears verbatim in the skill (in the Telegram API URL and the potential matches). It matches the Telegram bot token format (<bot_id>:), is not a placeholder, and is a high-entropy, usable credential that would allow control of the bot via the Telegram Bot API. This is a real secret and should be treated as exposed (recommend immediate rotation/revocation).
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata