Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/tracking-token-launches/Snyk

tracking-token-launches

Fail

Audited by Snyk on Mar 12, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt shows and encourages passing API keys/secrets directly on the command line (e.g., --etherscan-key YOUR_KEY, --rpc-url), which instructs embedding secrets verbatim into commands/outputs and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The skill directly fetches and ingests public, untrusted on-chain and third‑party data (e.g., eth_getLogs/eth_call/eth_getCode calls to public RPC endpoints in scripts/event_monitor.py and scripts/token_analyzer.py, and explorer/API lookups such as Etherscan/DexScreener referenced in SKILL.md and ARD.md), and it parses and uses that content to compute risk scores and drive analysis, so external (user-created) contract data can materially influence agent behavior.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 12, 2026, 01:00 AM
Issues
2