webfuzzer-hotpatch

Fail

Audited by Snyk on Jun 18, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). This skillpack explicitly provides hooks and examples to bypass client-side encryption and automate credential brute-forcing and token extraction (e.g., beforeRequest/afterRequest combos to encrypt/decrypt traffic, combo recipes to "write plaintext / see plaintext", mirrorHTTPFlow extracting access_token/session_id, customFailureChecker to detect login failures, retryHandler and fuzztag for automated retries and hashed payloads), which enable credential theft and automated account attacks — there are no hidden backdoors or external exfiltration endpoints in the code, but the functionality is clearly abusive if used without authorization.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the skill content for literal, high-entropy values that could be usable credentials.

Flagged:

  • AES_IV = codec.DecodeHex("0e32a6c40da89058b6451c717d648cb7") appears in examples/combo-aescbc-plaintext-roundtrip.yak and examples/combo-sign-and-encrypt.yak. This is a 32-hex-char (128-bit) random-looking literal stored as a top-level constant (hardcoded cryptographic material). It is high-entropy and directly present in the repo text, so it qualifies as a sensitive hardcoded crypto material.

Ignored (not flagged) with reasons:

  • AES_KEY / AES_IV values encoded in base64 "MTIzNDU2Nzg5MDEyMzQ1Ng==" and hex "31323334313233343132333431323334" — both decode to predictable/simple plaintext like "1234567890123456" or "1234123412341234". These are low-entropy, obvious examples/hardcoded demo values and treated as documentation/setup examples.
  • SIGN_SECRET = "demo-app-secret", SIGN_KEY = "1234123412341234", AES_KEY = "aaaaaaaaaaaaaaaa", AES_IV = "aaaaaaaaaaaa", rspKey/rspIv values like "bbbbbbbbbbbbbbbb" — all simple, low-entropy example values (placeholders/demos), so ignored per rules.
  • Long base64 ciphertext strings (e.g., "lvIsXDQECZuulFJf4FsG+MGESw+NHG0sp78Gz7uuFvYuABq/...") are ciphertext/examples, not credentials — ignored.
  • Tokens/headers in tests like "csrf-abc-123", "tok_xyz", "sess_1" are example placeholders — ignored.
  • No API keys, private key PEM blocks, or bearer tokens are embedded as literals.

Conclusion: one high-entropy hardcoded value (the hex IV) was found and counted as a sensitive hardcoded secret.

Issues (2)

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 18, 2026, 04:14 PM
Issues
2
Security Audit — snyk — webfuzzer-hotpatch