ziniao-sso-doc

Fail

Audited by Snyk on Jul 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs using the API Key in an Authorization: Bearer header and embedding the openapiToken in Schema URLs, which would force the LLM to place secret values verbatim into generated requests/commands if it fills those placeholders.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill intentionally requires invoking superbrowser:// Schema URLs at runtime (e.g. "superbrowser://OpenStrore?storeId=xxxxxxx&openapiToken=xxxxxxxxx&userId=xxxxxxx&lanuchUrl=aHR0cHM6Ly93d3cuYmFpZHUuY29t&autoopen=true&debuggPort=60001&notPromptForDownload=1&forceDownloadPath=Rjpc5a6J6KOF5YyF --disable-gpu start-maximized"), which directly triggers the local SuperBrowser client to execute actions (open/close/exit) and is therefore a runtime dependency that executes code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the provided Skill docs for literal, high-entropy credentials.

Flagged:

  • reference/account-auth.md line 114 contains "79db5b0c8d16d5d7eecded06101a7e39" — a 32-character hex token that looks like a real/openapi auth token (high entropy, could be usable). It appears verbatim in a response example and meets the "high-entropy literal value" definition, so I treat it as a potential secret.

Ignored (not flagged) and why:

  • reference/account-auth.md line 51 "xxxxxxxxxxxxxxxx" — placeholder/redaction, low entropy → ignore.
  • client-schema.md line 21 openapiToken=xxxxxxxxx and storeId=xxxxxxx/userId=xxxxxxx — obvious placeholders in example → ignore.
  • Numeric companyId values (e.g., 15393571083459) and other IDs are non-secret identifiers → ignore.
  • Base64 examples (e.g., aHR0cHM6Ly93d3cuYmFpZHUuY29t) are encoded sample URLs, not credentials → ignore.

Conclusion: one high-entropy token-like value was found and flagged.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

Audit Metadata
Risk Level
HIGH
Analyzed
Jul 13, 2026, 01:00 PM
Issues
3