pagbank-connect
Fail
Audited by Snyk on May 19, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The skill explicitly requires inserting a Connect Key into Authorization headers (shows "Authorization: Bearer {connectKey}" / "Authorization: Bearer CONSANDBOX..."), which encourages embedding secret tokens verbatim into requests or CLI/code snippets and therefore poses a high exfiltration risk.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is a specific payment gateway integration for PagBank (PagBank Integrações) and explicitly includes API endpoints and instructions to create orders/payments (POST connect/ws/orders), process PIX, boleto and credit-card payments, obtain public keys for card encryption, and use Connect Keys (CON.../CONSANDBOX...). This is not a generic API caller or browser automation: its primary, explicit purpose is to initiate and manage financial transactions. Therefore it grants Direct Financial Execution capability.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata