Skills
skills/doyoonear/skills-and-agents/perf-bottleneck-finder/Snyk

perf-bottleneck-finder

Fail

Audited by Snyk on Mar 6, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes a CLI option (--auth-cookie) that implies passing an authentication cookie value directly on the command line, which would require embedding a secret verbatim in commands/output and is an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill's required workflow (SKILL.md Phase 2 and the scripts/measure_page_performance.py entrypoint) instructs the agent to visit an arbitrary --url and uses browser_evaluate/PERFORMANCE_SCRIPT to ingest performance.getEntriesByType('resource') and API request data from that public page, which the skill then interprets to drive bottleneck analysis and subsequent actions—i.e., untrusted third‑party content is fetched and directly influences decisions.
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 6, 2026, 06:38 AM