Skills
skills/padparadscho/skills/js-stronghold-sdk/Gen Agent Trust Hub

js-stronghold-sdk

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE] (HIGH): A specific sandbox secret key is hardcoded in the documentation. Even for testing environments, hardcoded keys can be leaked or misused. Evidence: 'SH-SECRET-KEY: sk_sandbox_sEGTb5Q9B8Pz-I5ZZ9dTKOko' in references/rest-api.md.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires including remote JavaScript from a third-party domain (api.strongholdpay.com). While intended for the SDK, this represents unverified remote code execution as the domain is not in the trusted source list. Severity dropped from HIGH to MEDIUM as it is the primary skill purpose. Evidence: '' in SKILL.md.
  • [REMOTE_CODE_EXECUTION] (LOW): The skill instructs the use of jQuery via a common CDN. Evidence: 'https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js' in references/sdk-reference.md.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted external data via PayLink callbacks and order items which could be used to influence agent behavior. 1. Ingestion points: 'success_url', 'exit_url', and itemized cart fields in references/paylink.md. 2. Boundary markers: Absent. 3. Capability inventory: JavaScript SDK execution and browser redirection. 4. Sanitization: Absent in documentation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:35 PM