configure
Fail
Audited by Snyk on May 14, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill asks the user for a webhook URL and then instructs the agent to embed that URL verbatim into command-line invocations and saved config (and references API keys), which requires the LLM to handle secret values directly and risks exfiltration.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly enables the Tavily MCP and lists tavily tools (tavily_search, tavily_extract, tavily_crawl) in references/mcp-config.md and SKILL.md, and names agents/skills (web-research-analyst, market-intelligence, /ork:explore, etc.) that will fetch and ingest public web pages/URLs for research—untrusted third-party content that the agent reads and can influence decisions and tool use.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata