viz
Fail
Audited by Snyk on Apr 6, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The workflow explicitly instructs the agent to stop and ask for a missing GEMINI_API_KEY before continuing, which requires soliciting and handling a live API secret (and likely embedding it in subsequent API calls), creating a direct secret-exposure/exfiltration risk.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). This skill exhibits intentional data-exfiltration patterns and a risky dynamic-update capability: it routinely ingests uploaded files/transcripts/URLs and dispatches their content to external services (Gemini image API and HeyGenverse via HeyGenverse:create_app), enforces publishing to an external host in
publishmode (effectively forcing upload of user content), and mandates reading workflow/reference files at runtime (allowing behavior to be changed post-deployment — a supply-chain/backdoor vector); there is no obvious hidden exec/reverse-shell or obfuscated payloads, nor explicit credential harvesting beyond using an API key for Gemini, but the forced external uploads and runtime-updatable workflows are high-risk for unauthorized data leakage.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md Step 3 ("Acquire the content") explicitly retrieves arbitrary URLs via web_fetch (with web_search fallback) and ingests that external, potentially user-generated web content into the diagram/infographic/visualize/publish workflows, so third‑party pages can directly influence tool actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill will fetch arbitrary user-supplied URLs at runtime via web_fetch (any URL passed in as $ARGUMENTS) and inject the retrieved document_text directly into the Gemini image-generation prompt (see the Gemini endpoint https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash-exp:generateContent?key=...), so external content can directly control model prompts.
Issues (4)
W007
HIGHInsecure credential handling detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata