Skills
NYC
skills/fluid-tools/claude-skills/convex-fundamentals/Snyk

convex-fundamentals

Warn

Audited by Snyk on Feb 15, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill clearly ingests untrusted third-party content: the processJob action calls fetch("https://api.example.com/generate") and reads result.json() (processing external API output), and the /webhooks/stripe HTTP action reads req.text() (incoming webhook body) and passes it into internal mutations, so the agent will read/interpret external/user-provided data.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill includes explicit payment gateway integrations: a Stripe webhook route ("/webhooks/stripe") and example code that validates a Stripe signature and delegates to internal.billing.handleStripeWebhook. It also shows example fetch calls to "https://api.stripe.com/..." when handling prices. These are specific, non-generic references to a payment provider (Stripe), which qualifies as direct financial execution capability.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 15, 2026, 08:52 PM