Skills
skills/adaptationio/skrillz/terra-troubleshooting/Snyk

terra-troubleshooting

Fail

Audited by Snyk on Feb 16, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt embeds real-looking API keys and shows them being used inline (e.g., in ENVIRONMENTS and health-check scripts), which requires the agent to handle and potentially reproduce secret values verbatim in generated code or commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). Yes — the skill's code and examples explicitly fetch and process external/provider and user-generated data (e.g., client.integrations.fetch, client.nutrition.get for MyFitnessPal, various provider APIs like Fitbit/Garmin/WHOOP, and incoming webhook payloads at /webhook), meaning the agent would read and interpret untrusted third-party content.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that look like real credentials and not placeholders.

Findings flagged as real secrets:

  • api_key values in the ENVIRONMENTS block and repeated in the Health Check script:
  • "_W7Pm-kAaIf1GA_Se21NnzCaFZjg3Izc"
  • "fJia30spa-EqB_CMqZBzzrkMWZ_u2pv_"
  • "Il4YUTc-e00EcvKGUx63j7YE3MJ-7QIz" These are high-entropy strings (mixed case, digits, punctuation, substantial length) and are presented as literal API keys, not placeholders.

Related identifiers present:

  • dev_id values ("botaniqalmedtech-testing-SjyfjtG33s", "botaniqalmedtech-staging-uGKHOPRCi1", "botaniqalmedtech-prod-yrc99AwsT2"). These look like real environment IDs; while dev_id may be less sensitive than an API key, they are still real identifiers included in the doc.

Ignored items / not flagged:

  • The earlier usage client = Terra(dev_id="...", api_key="...") is a placeholder and was ignored.
  • Referenced variables like SIGNING_SECRET are names only (no secret value provided).
  • Email, IP lists, and other example/simple strings (e.g., "user_123", "terra_abc123", "openclaw"-style examples) were ignored per the rules.

Conclusion: The document contains literal API keys (high-entropy, likely usable) and environment dev_ids, so it should be treated as containing real secrets.

Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:28 AM