Skills
skills/refly-ai/refly-skills/volcengine-avatar/Snyk

volcengine-avatar

Fail

Audited by Snyk on Feb 16, 2026

Risk Level: HIGH
Full Analysis

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I flagged one high-entropy literal that looks like a usable token. The CLI invocation contains the value:
  • skpi-ixed341d48t5k1sdp4g8c8n0

This string is long and random-looking and is passed directly to refly as --id, which could be an API/skill token that grants access. It matches the "high-entropy, literal value that provides access" definition, so I treat it as a potential secret.

I did NOT flag the other identifiers in the prompt (e.g., c-ucda40jk4sf3s27hr8e7s62d in the workflow URL or the comment about RUN_ID being "we-xxx") because these appear as public resource IDs or placeholders/format hints rather than explicit credential tokens. If skpi-ixed... is actually just a non-secret public skill identifier (not an auth token), it would be safe — but from the content alone it looks like a high-entropy credential and should be removed/rotated or replaced with a documented placeholder.

Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 02:58 AM