extensions
Enables the creation and management of interactive Alpine.js mini-apps within iframes, allowing for dynamic user interfaces.
Install this skill
Security score
The extensions skill was audited on Jun 10, 2026 and we found 8 security issues across 2 threat categories, including 7 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 364 | user has set up. Reference it via `${keys.OPENAI_API_KEY}` / |
Template literal with variable interpolation in command context
| 365 | `${keys.ANTHROPIC_API_KEY}` and surface a clear error if the proxy |
Template literal with variable interpolation in command context
| 380 | For external API calls, use `extensionFetch()` with `${keys.NAME}` placeholders |
Template literal with variable interpolation in command context
| 382 | `Authorization: 'Bearer ${keys.GITHUB_TOKEN}'`. The proxy resolves the value |
Template literal with variable interpolation in command context
| 395 | - **Never hardcode secrets or private data.** Use `${keys.NAME}` placeholders |
Template literal with variable interpolation in command context
| 398 | - **Single quotes around `${keys.*}`** to prevent browser-side template literal evaluation. |
Template literal with variable interpolation in command context
| 404 | - `secrets` -- creating and managing API keys for `${keys.NAME}` substitution. |
Webhook reference - potential data exfiltration
| 374 | Never put a real API key, token, webhook URL, signing secret, private |