Skills
skills/jg-chalk-io/nora-livekit/moai-testing-load/Snyk

moai-testing-load

Warn

Audited by Snyk on Mar 2, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill's SKILL.md and examples.md include k6/Gatling scripts that fetch public URLs (e.g., https://httpbin.org, various https://*.example.com endpoints and a remote library at https://jslib.k6.io/papaparse/...), parse JSON/headers (extracting productId, X-DB-Time, etc.), and use that content to drive subsequent requests and CI decisions, which clearly ingests untrusted third‑party web content that can influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The k6 example imports and executes remote code at runtime from https://jslib.k6.io/papaparse/5.1.1/index.js (import papaparse ...), which is a required dependency for that script and therefore allows external code to control execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 2, 2026, 05:17 PM