setup
Fail
Audited by Snyk on May 28, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The wizard explicitly asks the user for a webhook URL and then runs a command that injects that URL verbatim (npm run generate:http-hooks -- --write) and references an env token, which requires the LLM to handle and emit secret-bearing values directly.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The wizard runs npm/npx install/run commands at runtime (e.g., "npx tsx ${CLAUDE_PLUGIN_ROOT}/.../generate-http-hooks.ts ..." and "npm install agentation-mcp"), which will fetch and execute packages from the npm registry (https://registry.npmjs.org) during skill runtime.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata