interswitch-setup
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes hardcoded test credentials within the environment variable example section. Evidence found in
SKILL.md:TEST_CLIENT_ID=IKIAB23A4E2756605C1ABC33CE3C287E27267F660D61,TEST_SECRET_KEY=secret,CARD_API_CLIENT_ID=IKIA3B827951EA3EC2E193C51DA1D22988F055FD27DE,CARD_API_SECRET_KEY=ajkdpGiF6PHVrwK,DEFAULT_WALLET_PIN=1234. - [DATA_EXFILTRATION]: The
interswitchRequesthelper function is vulnerable to indirect prompt injection as it accepts an unvalidated endpoint parameter. * Ingestion points:endpointparameter ininterswitchRequestfunction withinSKILL.md. * Boundary markers: None present to separate trusted from untrusted URL components. * Capability inventory: The function makes network requests (fetch) and automatically includes sensitiveAuthorizationheaders. * Sanitization: No URL validation or sanitization is implemented to ensure requests are only sent to trusted Interswitch domains.
Audit Metadata