skills/jeremylongshore/claude-code-plugins-plus-skills/exa-ci-integration/Snyk

exa-ci-integration

Fail

Audited by Snyk on Mar 24, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The prompt includes an explicit example of setting an API key on the command line using gh secret set --body "sk_test_***", which requires or encourages embedding a secret value verbatim in commands/output and thus poses an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.70). The workflow uses external GitHub Actions (uses: actions/checkout@v4 and uses: actions/setup-node@v4 — e.g. https://github.com/actions/checkout and https://github.com/actions/setup-node) which are fetched and executed at runtime and are required for the CI job, so external code will run.

Issues (2)

W007

HIGH

Insecure credential handling detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

HIGH

Analyzed

Mar 24, 2026, 05:58 PM

Issues

2