Skills
skills/zulabmm/stashthis-agent-skill/stashthis-agent/Snyk

stashthis-agent

Fail

Audited by Snyk on Feb 21, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to ask the user for their StashThis API key and to write it into a file via an echo command, and to display the hooks token for copy-paste into StashThis settings—forcing the agent to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md webhook handling plus scripts (scripts/stash.sh and scripts/stash-sync.sh) and references/api.md explicitly fetch and sync full content from StashThis (which ingests arbitrary public URLs, X posts, YouTube, etc.), and the agent is expected to read/interpret that third‑party/user‑generated content to generate summaries and take follow-up actions, exposing it to indirect prompt injection.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 05:28 PM