Skills
skills/alchemyplatform/skills/alchemy-api/Snyk

alchemy-api

Warn

Audited by Snyk on Apr 22, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill's documentation and required workflow (e.g., references/data-nft-api.md and the SKILL.md quickstart) explicitly instruct calling NFT endpoints that resolve tokenUri values (IPFS/external URLs / originalUrl fields) and return raw metadata that the app is expected to fetch and parse, which clearly ingests untrusted, user-generated third‑party content that could influence app behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly for blockchain financial operations: it exposes EVM JSON-RPC endpoints (reads and writes), Transfers API, Wallets/Account Kit, Bundler/Gas Manager/Smart Wallets, Portfolio API, simulation and transaction-related endpoints, and base URLs for mainnet RPCs. These are specific crypto/blockchain APIs able to create/sign/send on-chain transactions and manage wallets, so it provides direct financial execution capability.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 22, 2026, 08:14 PM
Issues
2