Skills
NYC
skills/josiahsiegel/claude-plugin-marketplace/azure-emulators-2025/Snyk

azure-emulators-2025

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt contains numerous hard-coded secrets and example credentials (e.g., Azurite AccountKey, Cosmos emulator key, SA passwords, RabbitMQ/Grafana passwords and inline connection strings), which the LLM would likely reproduce verbatim in generated configs or commands, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The skill includes Docker image URLs that are fetched and run at runtime (for example: mcr.microsoft.com/azure-storage/azurite:latest), which are required dependencies and result in executing remote code from external registries.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). Flagged because the document contains literal, high-entropy credential strings that are directly usable:
  • Azurite standard connection string includes AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw== — long, base64-like, high entropy and present verbatim.
  • Cosmos DB emulator master key C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw== — long, base64-like, high entropy and present verbatim.

Note: these are well-known emulator default keys (used for local development), but they are literal, high-entropy credentials included in the documentation and therefore match the definition of a secret in this analysis.

Ignored items (not flagged):

  • "Password=YourStrong!Passw0rd" in SQL Server connection string — example placeholder/sample, not high-entropy random secret.
  • Placeholders like SAS_KEY_VALUE, ${MSSQL_SA_PASSWORD}, environment-variable references, and truncated/redacted values.
  • Low-entropy setup/demo passwords (ServiceBus123!, admin123, admin, RABBITMQ_DEFAULT_PASS, GF_SECURITY_ADMIN_PASSWORD=admin) — considered documentation/setup examples and ignored per rules.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 08:57 PM