Skills
NYC
skills/thebushidocollective/han/sip-authentication-security/Snyk

sip-authentication-security

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt contains hardcoded secret strings (e.g., 'secret-server-key' in generateNonce and inline SRTP keys in example SDP) and code paths that accept and embed passwords/keys, so reproducing or using the skill would cause secrets to be output verbatim and create exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill ingests and parses untrusted SIP/SDP and header data from network peers (e.g., SipTlsServer.handleData, SipRegistrar.handleRegister, SipAuthenticatedClient.sendRegister and parseChallenge/parseCryptoAttribute/validateSdp), so it directly consumes arbitrary third‑party, user-generated protocol content at runtime.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the prompt for literal, high-entropy values that would be usable credentials.

Flagged secret:

  • The SDP SRTP inline key: "PS1uQCVeeCFCanVmcjkpPywjNWhcYD0mXXtxaVBR" (appears in the SDP lines: a=crypto:1 ... inline:PS1uQCVeeCFCanVmcjkpPywjNWhcYD0mXXtxaVBR|2^20|1:32 and a=crypto:2 ... inline:PS1uQCVeeCFCanVmcjkpPywjNWhcYD0mXXtxaVBR|2^20|1:32). This is a long, random-looking base64-like string used inline as SRTP master key material and qualifies as a high-entropy secret that could be used to decrypt media.

Ignored/treated as non-secrets (reasons):

  • "secret-server-key" in SipDigestAuth.generateNonce(): low-entropy, obvious example/placeholder string — treated as a documentation/example value.
  • Nonce/response examples with ellipses (e.g., "dcd98b7102dd..." and "6629fae49393..."): truncated/redacted values — ignore per rules.
  • File path placeholders like '/path/to/server-key.pem', '/path/to/client-cert.pem', etc.: placeholders, not literal keys.
  • Example usernames ("alice"), realms ("atlanta.com"), and simple example strings: documentation examples, low entropy.
  • Any values generated by crypto.randomBytes() in code are not hardcoded secrets in the text.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 09:26 PM