File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- src/skillpay.ts:39
Security audit
Security checks across malware telemetry and agentic risk
The course-generation purpose is coherent, but the skill embeds a billing API key, sends Edustem credentials to a hardcoded ngrok endpoint, and can charge SkillPay before generation succeeds.
Only use this skill if you trust the publisher, can verify the Edustem endpoint, and understand the SkillPay charges. Avoid entering real Edustem credentials until the API host is confirmed, and ensure any integration passes a real authenticated user ID rather than relying on the default.
66/66 vendors flagged this skill as clean.
Detected: suspicious.exposed_secret_literal