▥AGENT LAB: SKILLS — FEB 26 NYCNYC

skills/mapbox/mapbox-agent-skills/mapbox-store-locator-patterns/Snyk

mapbox-store-locator-patterns

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 0.80). The prompt embeds a Mapbox access token directly in client-side code (mapboxgl.accessToken = 'YOUR_MAPBOX_ACCESS_TOKEN') and uses it in request URLs, which encourages placing the real secret verbatim into generated code/requests and thus risks secret exposure.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill loads and executes Mapbox's runtime JavaScript from https://api.mapbox.com/mapbox-gl-js/v3.0.0/mapbox-gl.js (and the associated CSS) via script/link tags at runtime, which is a required dependency that pulls and runs remote code in the page.

Audit Metadata

Risk Level

HIGH

Analyzed

Feb 15, 2026, 09:12 PM