Skills
skills/aradotso/trending-skills/anything-analyzer-cdp/Snyk

anything-analyzer-cdp

Fail

Audited by Snyk on Apr 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly assembles captured requests, headers, bodies, cookies and storage into the LLM prompt and asks for reproducible curl commands and protocol details, forcing the model to receive and potentially output sensitive secrets (API keys, tokens, cookies, passwords) verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill embeds a browser and captures user-specified target pages via Chrome DevTools Protocol (see "Sessions" target URL and "Capture Engine" / CDP sections) and then builds LLM prompts that include captured request/response bodies, JS hook events, and storage snapshots (see "Prompt Builder" and generated prompt), so untrusted third-party page content is ingested and directly influences AI analysis and subsequent outputs.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 13, 2026, 05:30 PM
Issues
2