Skills
skills/workos/skills/workos-authkit-vanilla-js/Snyk

workos-authkit-vanilla-js

Warn

Audited by Snyk on Feb 24, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). This skill's Step 1 requires a blocking WebFetch of the public GitHub README at https://github.com/workos/authkit-js/blob/main/README.md and declares it the "source of truth," so the agent will read and act on externally-hosted, potentially untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The skill performs a blocking WebFetch of the README at https://github.com/workos/authkit-js/blob/main/README.md and explicitly declares "README is source of truth," so the fetched content is required at runtime and directly controls the agent's instructions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 24, 2026, 05:49 AM