Skills
NYC
skills/thebushidocollective/han/fastapi-dependency-injection/Snyk

fastapi-dependency-injection

Fail

Audited by Snyk on Feb 16, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt contains multiple examples that hard-code secrets and credentials (e.g., SECRET_KEY, 'my-api-key', 'postgresql://user:pass...', API keys) and shows embedding them directly in code, which instructs the agent to handle or output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill clearly ingests untrusted third-party content — e.g., WebSocket endpoints (/ws/{client_id} and /ws/messages/{room_id}) call websocket.receive_text() and broadcast/save user messages, the /upload endpoint reads arbitrary UploadFile content, and endpoints call external HTTP APIs (client.get('https://api.example.com/data')) — all of which expose the agent to user-generated or public external data.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 09:56 AM