Skills
skills/hookdeck/webhook-skills/postmark-webhooks/Snyk

postmark-webhooks

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt explicitly shows and recommends embedding credentials and tokens in webhook URLs (e.g., https://username:password@... and ?token=your-secret-token) which encourages including secret values verbatim in generated URLs/commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's webhook handlers ingest Postmark webhook payloads (e.g., Inbound events containing TextBody/HtmlBody and other user-provided fields) via the /webhooks/postmark endpoint—see references/overview.md and the example handlers (examples/express/src/index.js, references/overview.md) that parse and log inbound email content—so it clearly consumes untrusted, user-generated third‑party content.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 09:46 PM