compliance-testing
Warn
Audited by Snyk on Apr 1, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The SKILL.md test suite explicitly navigates pages and inspects third-party network requests and cookies (see "Script Blocking" which monitors requests to google-analytics.com, googletagmanager.com, facebook.net, analytics.tiktok.com, etc., and the cookie drift tests that visit public paths and evaluate cookies), so it clearly fetches and ingests untrusted third-party web content which is used to drive compliance decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The CI workflow pulls and executes external GitHub Actions and npm-installed tooling at runtime (e.g., uses: actions/checkout@v4 -> https://github.com/actions/checkout, uses: actions/setup-node@v4 -> https://github.com/actions/setup-node, uses: actions/upload-artifact@v4 -> https://github.com/actions/upload-artifact and npx/playwright from the npm registry), which are fetched during skill execution and run remote code required for the tests.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata