Skills
skills/wildix/agent-skills/wildix-get-conference/Snyk

wildix-get-conference

Fail

Audited by Snyk on May 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill requires obtaining an IdToken and passing it explicitly as a command-line argument (bash ... "$ID_TOKEN" <conferenceId>), which forces the agent to handle and potentially emit the secret verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's runtime script (scripts/get-conference.sh) fetches conference data and "insights" from the external API https://wda.wildix.com/v2/... and SKILL.md explicitly uses those untrusted, third‑party insights (shortSummary, title, topics, decisions, etc.) to display, populate Obsidian notes, extract tags and ticket links, and drive downstream behavior — meaning external content is read and can materially change agent actions.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
May 13, 2026, 04:35 PM
Issues
2