Skills
skills/rexedge/interswitch/interswitch-testing/Snyk

interswitch-testing

Fail

Audited by Snyk on Mar 13, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt embeds explicit client IDs, secret keys, and test card numbers (including .env entries and sample configs) and instructs using them in code/configs, which requires the agent to include those secret values verbatim in generated outputs.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I flagged the presence of three high-entropy, literal credentials that appear directly in the documentation/.env and could be used to access Interswitch sandbox APIs:
  • INTERSWITCH_CLIENT_ID = IKIAB23A4E2756605C1ABC33CE3C287E27267F660D61 (present in "General Test Credentials" and .env)
  • INTERSWITCH_CARD_CLIENT_ID = IKIA3B827951EA3EC2E193C51DA1D22988F055FD27DE (present in "Card Payment API Credentials" and .env)
  • INTERSWITCH_CARD_SECRET_KEY = ajkdpGiF6PHVrwK (present in "Card Payment API Credentials" and .env)

These are long/alphanumeric or random-looking values (high entropy) and are literal values in the file — they meet the definition of secrets even though they are labeled as test credentials.

I ignored the following as false positives per the provided rules:

  • INTERSWITCH_SECRET_KEY = secret — low-entropy setup/example password (ignored).
  • INTERSWITCH_WEBHOOK_SECRET = your_webhook_secret_here — obvious placeholder (ignored).
  • Test card numbers and test numeric IDs (pay item IDs, merchant codes, account numbers) — documented test values, not high-entropy API secrets, and described as test data (ignored).
  • All URLs and environment variable names — not secrets.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly for integrating and testing a payment gateway (Interswitch). It contains payment-specific credentials (client IDs, secret keys, merchant codes, pay item IDs), sandbox and live endpoints, test card numbers, example payloads and code to initiate checkouts, card payments, and transfers, and webhook signing/sending logic. These are specific tools and artifacts intended to create and process transactions (even if in test mode), so the skill grants direct financial execution capability related to a payment gateway.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 13, 2026, 03:22 PM
Issues
3