configure

Fail

Audited by Snyk on May 14, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill asks the user for a webhook URL and then instructs the agent to embed that URL verbatim into command-line invocations and saved config (and references API keys), which requires the LLM to handle secret values directly and risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly enables the Tavily MCP and lists tavily tools (tavily_search, tavily_extract, tavily_crawl) in references/mcp-config.md and SKILL.md, and names agents/skills (web-research-analyst, market-intelligence, /ork:explore, etc.) that will fetch and ingest public web pages/URLs for research—untrusted third-party content that the agent reads and can influence decisions and tool use.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
May 14, 2026, 10:18 PM
Issues
2
Security Audit — snyk — configure