pagbank-connect

Fail

Audited by Snyk on May 19, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The skill explicitly requires inserting a Connect Key into Authorization headers (shows "Authorization: Bearer {connectKey}" / "Authorization: Bearer CONSANDBOX..."), which encourages embedding secret tokens verbatim into requests or CLI/code snippets and therefore poses a high exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is a specific payment gateway integration for PagBank (PagBank Integrações) and explicitly includes API endpoints and instructions to create orders/payments (POST connect/ws/orders), process PIX, boleto and credit-card payments, obtain public keys for card encryption, and use Connect Keys (CON.../CONSANDBOX...). This is not a generic API caller or browser automation: its primary, explicit purpose is to initiate and manage financial transactions. Therefore it grants Direct Financial Execution capability.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
May 19, 2026, 06:00 AM
Issues
2
Security Audit — snyk — pagbank-connect