Skills
skills/hlnames/use-hln-api-skill/use-hln-api/Snyk

use-hln-api

Fail

Audited by Snyk on Apr 4, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt contains a literal API key and explicitly instructs the agent to send API keys (user-provided or the built-in key) as the X-API-Key header when calling endpoints, which requires embedding secret values verbatim in requests/commands and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill explicitly calls the public HL Names API (base URL https://api.hlnames.xyz/) in SKILL.md and references/endpoints.md (e.g., GET /resolve/profile/:address and GET /records/full_record/:nameHashOrId) and instructs the agent to read and interpret returned user-controlled fields like data.records (free-form profile/text records) and mint-pass responses, so arbitrary third-party, user-generated content can influence subsequent actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I found a literal, high-entropy API key in the prompt: "NILB2EY-R4LUDOA-WN5G5JQ-KHAQOLA" (the "built-in public agent key" used as the default X-API-Key). This is a real-looking API key string (high entropy and not a placeholder like YOUR_API_KEY or sk-xxxx). Even though the text labels it "public", it is still a concrete credential present in the documentation and thus meets the definition for a secret disclosure. No other high-entropy secrets, private keys, or PEM blocks are present; other values are environment names, endpoint examples, or clearly non-secret placeholders and are ignored per the rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly exposes a crypto-related signing endpoint: POST /sign_mintpass/:label, and it instructs the agent to request that endpoint as a readiness check "when the developer is prepared to submit the mint transaction promptly" and to preserve returned mint-pass signatures. This is a specific blockchain signing capability (mint-pass signing) intended to be used in on-chain mint transactions rather than a generic HTTP caller, so it qualifies as direct crypto execution authority.

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 4, 2026, 05:25 AM
Issues
4