Skills
skills/marclelamy/skills/spec-to-code-compliance/Snyk

spec-to-code-compliance

Fail

Audited by Snyk on Apr 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The skill mandates verbatim citations of code and documentation (exact text/code excerpts with file+line numbers), so if source files contain secrets the agent would be required to reproduce them in output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts a "Spec document" as a path or URL and includes WebFetch/Read-based documentation discovery and normalization (see commands/spec-compliance.md "Spec document (required): Path to specification ... or URL" and SKILL.md Phase 0 "Documentation Discovery"), so it will fetch and ingest untrusted public third-party content that can directly influence its analysis and actions.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 13, 2026, 11:16 AM
Issues
2