aws-secrets-rotation
Fail
Audited by Snyk on Mar 12, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill contains explicit examples that embed secret values verbatim in CLI commands and code (e.g., --secret-string with passwords and API keys like "CHANGE_ME" and "sk_live_xxxxx") and shows using retrieved secrets directly in API calls, which would require the LLM to handle or output secret values directly.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill includes explicit, concrete integration with a payment gateway API (Stripe). The provided rotation code calls Stripe endpoints (POST to https://api.stripe.com/v1/api_keys to create keys, GET https://api.stripe.com/v1/balance to validate keys, DELETE https://api.stripe.com/v1/api_keys/{old_key} to revoke keys). Those are specific payment-gateway API actions (not generic HTTP examples) and thus meet the criterion for direct financial-execution capability.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata