terra-connections
Fail
Audited by Snyk on Feb 16, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit API key/dev_id string in example code, which encourages the agent to embed or echo secret credentials verbatim in generated code or commands, creating a high exfiltration risk.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the full prompt for literal, high-entropy credentials. The only high-entropy, literal string that looks like a real API key is the api_key value in the Python widget example:
api_key="_W7Pm-kAaIf1GA_Se21NnzCaFZjg3Izc"
This appears to be a real/usable credential (random-looking, not a documented placeholder like "YOUR_API_KEY" or "sk-xxxx"), so I flagged it.
I did not flag dev_id="botaniqalmedtech-testing-SjyfjtG33s" because it is an identifier (contains the word "testing") and is not a secret credential per the definition. All other values are clearly example/reference values (e.g., "user_12345", "terra_abc123") or documentation placeholders and do not meet the entropy/secret criteria.
Audit Metadata