Skills
skills/rexedge/interswitch/interswitch-card-payments/Snyk

interswitch-card-payments

Fail

Audited by Snyk on Mar 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt embeds explicit API credentials and a secret key (and other merchant identifiers) in plaintext, which would encourage the model to include those secret values verbatim in generated code/commands, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill includes and loads remote JavaScript at runtime from https://newwebpay.qa.interswitchng.com/hosted-fields.js which executes remote code (hosted fields SDK) that the payment flow depends on, so it is a required runtime dependency that can control behavior.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned for high-entropy, literal credentials. The "Test Credentials (Card Payment API)" table contains two values that look like real, usable credentials:
  • Client ID: IKIA3B827951EA3EC2E193C51DA1D22988F055FD27DE — long random-looking value consistent with an API client identifier.
  • Secret Key: ajkdpGiF6PHVrwK — 16-character mixed-case string, appears to be a real secret key.

I treat those as secrets because they are direct literal values (not placeholders) and have sufficient entropy to be usable credentials. Merchant Code (MX21696) and Pay Item ID (4177785) are identifiers, not secret keys, so I do not count them as secrets. Other placeholders (e.g., <INTERSWITCH_MODULUS_BASE64URL>, sk-xxxx examples) and obvious examples are ignored per the rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a payment gateway integration (Interswitch Card Payments API). It includes concrete functions and endpoints to initiate card payments, submit encrypted card authData, validate OTP, complete 3D Secure transactions, and process Google Pay tokens. It even provides test credentials and request/response schemas — i.e., it is specifically designed to move money (process card charges) rather than being a generic tool. Therefore it grants direct financial execution capability.

Issues (4)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 13, 2026, 03:22 PM
Issues
4