webfuzzer-hotpatch
Fail
Audited by Snyk on Jun 18, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). This skillpack explicitly provides hooks and examples to bypass client-side encryption and automate credential brute-forcing and token extraction (e.g., beforeRequest/afterRequest combos to encrypt/decrypt traffic, combo recipes to "write plaintext / see plaintext", mirrorHTTPFlow extracting access_token/session_id, customFailureChecker to detect login failures, retryHandler and fuzztag for automated retries and hashed payloads), which enable credential theft and automated account attacks — there are no hidden backdoors or external exfiltration endpoints in the code, but the functionality is clearly abusive if used without authorization.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the skill content for literal, high-entropy values that could be usable credentials.
Flagged:
- AES_IV = codec.DecodeHex("0e32a6c40da89058b6451c717d648cb7") appears in examples/combo-aescbc-plaintext-roundtrip.yak and examples/combo-sign-and-encrypt.yak. This is a 32-hex-char (128-bit) random-looking literal stored as a top-level constant (hardcoded cryptographic material). It is high-entropy and directly present in the repo text, so it qualifies as a sensitive hardcoded crypto material.
Ignored (not flagged) with reasons:
- AES_KEY / AES_IV values encoded in base64 "MTIzNDU2Nzg5MDEyMzQ1Ng==" and hex "31323334313233343132333431323334" — both decode to predictable/simple plaintext like "1234567890123456" or "1234123412341234". These are low-entropy, obvious examples/hardcoded demo values and treated as documentation/setup examples.
- SIGN_SECRET = "demo-app-secret", SIGN_KEY = "1234123412341234", AES_KEY = "aaaaaaaaaaaaaaaa", AES_IV = "aaaaaaaaaaaa", rspKey/rspIv values like "bbbbbbbbbbbbbbbb" — all simple, low-entropy example values (placeholders/demos), so ignored per rules.
- Long base64 ciphertext strings (e.g., "lvIsXDQECZuulFJf4FsG+MGESw+NHG0sp78Gz7uuFvYuABq/...") are ciphertext/examples, not credentials — ignored.
- Tokens/headers in tests like "csrf-abc-123", "tok_xyz", "sess_1" are example placeholders — ignored.
- No API keys, private key PEM blocks, or bearer tokens are embedded as literals.
Conclusion: one high-entropy hardcoded value (the hex IV) was found and counted as a sensitive hardcoded secret.
Issues (2)
E006
CRITICALMalicious code pattern detected in skill scripts.
W008
HIGHSecret detected in skill content (API keys, tokens, passwords).
Audit Metadata