Skills
skills/robinbg/webhook-skills/postmark-webhooks/Snyk

postmark-webhooks

Fail

Audited by Snyk on Mar 1, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The prompt explicitly shows and recommends embedding credentials and tokens in webhook URLs (e.g., https://username:password@... and ?token=your-secret-token) which encourages including secret values verbatim in generated URLs/commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill defines a public POST endpoint (/webhooks/postmark) in SKILL.md and multiple examples (examples/express/src/index.js, examples/fastapi/main.py, examples/nextjs/app/webhooks/postmark/route.ts) that ingest Postmark webhook payloads — including Inbound events with HtmlBody/TextBody and Click events with OriginalLink — and explicitly show processing that can trigger downstream actions (e.g., "Process incoming email", "Trigger re-engagement workflow"), so untrusted/user-generated third-party content is read and can materially influence behavior.
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 1, 2026, 04:29 PM