deco-e2e-testing
Warn
Audited by Snyk on Mar 11, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill actively fetches and parses live site content (e.g., run-e2e.ts and SKILL.md/waitForServerReady call the site's /deco/_liveness and ?__d endpoints, templates/specs/ecommerce-flow.spec.ts navigates and acts on arbitrary SITE_URL pages, and templates/utils/metrics-collector.ts parses /deco/render URLs, x-deco-section headers and JSON "props"), so it ingests untrusted public/site-generated content that can influence test behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The templates/scripts/baseline.ts file imports remote Deno modules (https://deno.land/std@0.224.0/fs/mod.ts and https://deno.land/std@0.224.0/path/mod.ts) which are fetched and executed at runtime when running the baseline tasks (e.g., deno run -A scripts/baseline.ts), so external code is executed and required by the skill.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata