Skills
skills/mukul975/anthropic-cybersecurity-skills/performing-paste-site-monitoring-for-credentials/Snyk

performing-paste-site-monitoring-for-credentials

Fail

Audited by Snyk on Apr 7, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill's code extracts and records credential "samples" from pastes and includes them in alerts/JSON output (and uses an explicit GitHub token header), which requires handling and outputting secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and analyzes public, user-generated content (e.g., Pastebin via SCRAPING_URL in SKILL.md's PastebinMonitor.fetch_recent_pastes/get_paste_content, HaveIBeenPwned paste API in scripts/agent.py.check_paste_dumps, and GitHub gists via GitHubSecretMonitor.search_gists), and those untrusted pastes/gists are parsed to drive severity scoring and generate alerts/actions, so third-party content can materially influence agent behavior.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 7, 2026, 12:59 PM
Issues
2