Skills
skills/xspoonai/spoon-awesome-skill/spoonos-application-templates/Snyk

spoonos-application-templates

Warn

Audited by Snyk on Mar 11, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The DAO Assistant template (scripts/dao_assistant.py) explicitly queries the public Snapshot GraphQL endpoint (https://hub.snapshot.org/graphql) to fetch community proposals — untrusted, user-generated content that the agent reads as part of its workflow and could materially influence voting/agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The ResearchAgent includes an MCPTool configured to run "npx -y tavily-mcp" at runtime, which will fetch and execute remote package code (via npm/npx) and is included as a tool dependency for the agent, so this is a runtime-executed external dependency (npx tavily-mcp).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill package explicitly includes templates and tools whose primary purpose is moving or transacting crypto assets. Examples:
  • Trading bot template: lists "Execute swaps with slippage protection" in the agent prompt and instantiates a SwapExecutorTool() — a specific tool for performing swaps (on-chain transactions).
  • NFT minter template: includes "Deploy or interact with NFT contracts" and "Mint tokens" via a ContractDeployTool and minting workflow — explicit contract transactions that change token ownership/state.
  • DAO assistant: "Execute votes" and references on-chain governor contracts (timelock execution) and delegation — actions that may perform on-chain transactions.
  • Environment variables include PRIVATE_KEY and RPC_URL, indicating the system is configured to sign and submit blockchain transactions. These are not generic tooling; they are specifically designed for crypto transaction execution (wallet signing, swaps, contract deployments). Under the Core Rule (crypto/blockchain: wallets, swaps, signing), this qualifies as Direct Financial Execution Authority.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 11, 2026, 07:33 PM
Issues
3