marketplace-order-hook

Warn

Audited by Snyk on Jun 20, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The required runtime path is the Hook endpoint handler (app.post("/vtex/order-hook", createHookHandler(...))) which ingests VTEX-sent JSON payloads (req.body) containing Origin.Account/Key/OrderId/State/LastChange; these are outsider-authored messages from VTEX (a third party) into the agent’s LLM context if the integration forwards them to the LLM.

Issues (1)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 20, 2026, 01:05 AM
Issues
1
Security Audit — snyk — marketplace-order-hook