web-shader-extractor
Audited by Snyk on Mar 31, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). Yes — the prompt explicitly directs autonomous, non-consensual actions (automatic installs and "do not ask user") and calls out extracting "内嵌配置和密钥" (embedded configurations and keys), which goes beyond the stated shader-extraction purpose and constitutes hidden/deceptive data-exfiltration behavior.
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs extracting "内嵌配置和密钥" (embedded configuration and keys) from HTML/network captures and assembling project files/reports, which means the agent would read and could output secret values verbatim.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The skill contains deliberate automation to harvest and decode site-internal data (extracting runtime API keys, decoding XOR/Base64 payloads, calling Firestore REST endpoints), plus silent auto-installation and autonomous operation without user consent—behaviors that enable unauthorized data extraction and potential abuse.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and renders arbitrary public webpages (SKILL.md Phase 1: Playwright via scripts/fetch-rendered-dom.mjs and curl ''), downloads and scans third‑party JS bundles (/tmp/network.json, /tmp/*.js), and runs an Agent to analyze those untrusted, user-provided site contents (references/extraction-workflow.md) which are then used to drive extraction, porting decisions, and automated actions—creating a clear path for indirect prompt injection from external sites.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill auto-installs remote runtime components and executes them (curl | tar to install Node.js), e.g. it fetches and extracts an executable from https://nodejs.org/dist/v22.15.0/node-v22.15.0-darwin-arm64.tar.gz during runtime, which is a required dependency and runs remote code.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs the agent to autonomously install runtime/browser dependencies and write files (including extracting to /usr/local and installing Playwright/Chromium) without user confirmation, which alters the host system state and may require elevated privileges even though it doesn't explicitly call sudo—so it presents a meaningful risk of compromising the machine state.
Issues (6)
Prompt injection detected in skill instructions.
Insecure credential handling detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Attempt to modify system services in skill instructions.