skills/speakeasy-api/agent-skills/orchestrate-multi-target-sdks/Snyk

orchestrate-multi-target-sdks

Warn

Audited by Snyk on Feb 15, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). This skill explicitly pulls OpenAPI specifications from an external registry (e.g., the workflow sources with locations like "registry.speakeasyapi.dev/org/repo/main-openapi:main") and consumes those third-party specs at runtime to generate SDKs, meaning untrusted/user-provided content will be read and interpreted.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The CI workflow references and will fetch/execute an external GitHub workflow (speakeasy-api/sdk-generation-action/.github/workflows/workflow-executor.yaml@v15 — e.g. https://github.com/speakeasy-api/sdk-generation-action/.github/workflows/workflow-executor.yaml@v15) at runtime, which means remote code is executed as a required dependency.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Feb 15, 2026, 10:18 PM