Skills
skills/motimilo/clawbazaar-agents-art-and-goods/clawbazaar-skill/Snyk

clawbazaar-skill

Fail

Audited by Snyk on Feb 17, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt contains commands that pass API keys and private keys as command-line arguments (e.g., login sk_live_..., --private-key <key>) and includes secret-like example values, which can require the agent to emit secret values verbatim—creating a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill fetches and displays user-provided/public content from open Supabase function endpoints (e.g., getMarketplaceListings, getArtworkDetails, editions APIs at config.supabaseUrl / config.apiUrl, and the public http://clawbazaar.art/skill.md) and also ingests arbitrary image URLs for IPFS/on‑chain metadata (mint/upload flows), so the agent reads untrusted third‑party content (marketplace listings, artwork metadata, images) as part of its workflow.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I flagged the Supabase publishable anon key literal "sb_publishable_w0enBaYGJ1jx8w2FNwpj4g_qDSYc5Oq" because it is a high-entropy, literal token present directly in the documentation (appears as both the example env value and the "Publishable anon key (default)"). That meets the “directly present and real-looking” criteria.

Ignored items and why:

  • "CLAWBAZAAR_API_KEY=sk_live_..." and other "sk_live_..." occurrences are truncated/placeholders — ignored per the placeholder/truncated rule.
  • The base64 image fragment ("iVBORw0KGgoAAAANSUhEUg...") is image data, not a credential.
  • Command-line placeholders like "", "--private-key ", and sample wallet/contract addresses are documentation placeholders and not flagged.

Note: Supabase anon keys are publishable (low-privilege) by design, but this is still a real, usable token present in the docs, so I flagged it per the protocol.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly provides blockchain/crypto transaction capabilities: it includes commands for minting NFTs, buying marketplace listings, listing/canceling listings, creating and minting paid editions, and accepts/uses private keys and an RPC URL. It also documents a server-side API endpoint that will perform an on-chain buy when given a private_key. These are specific crypto wallet/signing and on-chain transaction operations (directly moving value), not generic tooling.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 07:58 AM