Skills
skills/wgpsec/aboutsecurity/gcp-pentesting/Snyk

gcp-pentesting

Fail

Audited by Snyk on May 4, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes commands and workflows that explicitly embed tokens/keys (e.g., ya29... access tokens, STOLEN_REFRESH_TOKEN, export CLOUDSDK_AUTH_ACCESS_TOKEN, curl with Authorization) and instruct using stolen credentials verbatim, so an LLM following it would be expected to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). High-risk: the document is an explicit, step-by-step offensive playbook that instructs how to steal credentials and tokens, perform privilege escalation, create persistent backdoors (startup scripts, service account keys, Cloud Functions/Run/backdoor services, HMAC keys), execute remote code, and exfiltrate sensitive data (Cloud Storage, BigQuery, Secret Manager) and logs — all clear malicious/abusive behaviors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent/operator to fetch and enumerate public third‑party resources (e.g., curl "https://storage.googleapis.com/TARGET-BUCKET" and "https://TARGET-PROJECT.firebaseio.com/.json" in Phase 1) and to read/interact with those public web endpoints, which are untrusted user-controlled sources that can materially change subsequent actions (e.g., progressing to Phase 2/3 based on discovered content).

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned for high-entropy, literal values that could be directly used as credentials. Most token examples are clearly placeholders (e.g., "ya29.xxxx", "STOLEN_REFRESH_TOKEN") or filenames ("sa_key.json") and were ignored per the rules.

However, the OAuth refresh-token curl includes a concrete client_id and a non-placeholder client_secret: client_id=32555940559.apps.googleusercontent.com client_secret=ZmssLNjJy2998hD4CTg2ejr2

The client_secret is a random-looking string (high entropy) and paired with the client_id in a token exchange request, so it appears to be a usable credential rather than a documentation placeholder. Therefore it is flagged as a real secret.

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 4, 2026, 08:16 AM
Issues
4