▥AGENT LAB: SKILLS — FEB 26 NYCNYC

skills/tencentcloudbase/skills/auth-web-cloudbase/Snyk

auth-web-cloudbase

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 0.80). The prompt's examples and Quick Start show embedding a "publishable key" (accessKey) and plaintext passwords/OTP tokens directly into code and instructs using an auth tool to obtain the publishable key, which encourages the agent to fetch and insert secret values verbatim into generated code—creating exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill specifies a runtime CDN for the CloudBase JavaScript SDK (https://static.cloudbase.net/cloudbase-js-sdk/latest/cloudbase.full.js), which would be fetched and executed in the client as a required dependency, so it is a high-confidence remote-code execution dependency.

Audit Metadata

Risk Level

HIGH

Analyzed

Feb 15, 2026, 08:13 PM