Skills
skills/exopriors/skills/scry/Snyk

scry

Warn

Audited by Snyk on May 3, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly queries and ingests public, user-generated content (e.g., scry.entities and source-native views like scry.reddit_posts, scry.twitter_posts, scry.bluesky, scry.huggingface_*, scry.gutenberg_books) via the /v1/scry/query flow described in SKILL.md and uses those results to drive agent actions (reranking, judgments, shares, follow-up queries), which clearly exposes the agent to untrusted third‑party content that could contain indirect prompt-injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs agents to call the runtime endpoint GET https://api.scry.io/v1/scry/context?skill_generation=2026041201 at session start and to use the returned offerings.public_agent_prompt.copy_text as the canonical bootstrap prompt, so remote content from that URL is fetched at runtime and can directly control agent prompts.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The Scry skill is primarily a read-only SQL-over-HTTPS search interface, but its documentation explicitly exposes payment/funding control endpoints and rails. It references Stripe saved-method funding, crypto_topup, the x402 wallet flow, and explicit billing endpoints such as POST /v1/billing/agent-topup (which "charges the default stored payment instrument" for agent-initiated funding), POST /v1/billing/payment-mandates, PATCH /v1/billing/auto-topup, and other charge/receipt primitives. Those are specific payment/charging APIs (including card and crypto rails), not just generic HTTP/cost-estimate metadata. Because the skill includes concrete payment/funding actions (able to initiate charges/topups and manage payment instruments and mandates), it qualifies as granting direct financial execution authority.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 3, 2026, 07:40 PM
Issues
3