Skills
skills/rknall/claude-skills/Newt Blueprint Generator/Snyk

Newt Blueprint Generator

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes explicit secret-looking values (NEWT_SECRET, passwords, pincodes) and instructs generating configs that embed auth/env values, which requires the LLM to output secrets verbatim — an exfiltration risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the full prompt for literal, high-entropy credentials. The Docker Compose example includes:
  • NEWT_ID=h1rbsgku89wf9z3
  • NEWT_SECRET=z7g54mbcwkglpx1aau9gb8mzcccoof2fdbs97keoakg2pp5z

NEWT_SECRET is a long, random-looking string (high entropy) and appears to be an actual secret; NEWT_ID is a similarly random identifier often paired with a secret. These are direct, usable credentials in the example and should be treated as secrets.

Ignored items (not flagged):

  • pincode: 123456 — low-entropy numeric example (allowed per policy).
  • password: your-secure-password — obvious placeholder/example.
  • basic-auth user: asdfa and password: sadf — simple/example values (low entropy).
  • DOCKER_SOCKET, endpoints, and other descriptive values — non-secret configuration or environment names.

Therefore I mark this document as containing a real secret (the NEWT_SECRET and associated NEWT_ID).

Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 09:15 PM