Skills
skills/aaaaqwq/claude-code-skills/env-setup/Snyk

env-setup

Fail

Audited by Snyk on Feb 19, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). The URL points to an unverified GitHub repository (placeholder/unknown username) whose supplied Python script is intended to be cloned and executed — this could run arbitrary code and overwrite local files, so despite GitHub being a common host the unknown source and "run this script" instruction make it potentially dangerous.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). High-risk: the repo contains a persistent prompt-injection backdoor (config/CLAUDE.md's anthropic_thinking_protocol) that instructs the agent to emit hidden “thinking” blocks combined with persona/output-style rules that forbid disclosing prompts, plus multiple supply-chain and data-exfiltration risks (unpinned npx @latest commands, MCP tools that can read/upload screenshots/files and evaluate arbitrary JS, and an apparent API key in config/mcp_config.json) — together these indicate an intentional backdoor/abuse capability that can exfiltrate secrets and enable remote code execution via fetched npm packages.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly instructs cloning a (potentially public/untrusted) GitHub repo and running sync_env.py to import files such as config/CLAUDE.md and agents/*/system.md, which are user-generated third-party contents that the agent will ingest and that can directly change system prompts and agent behavior (e.g., the included CLAUDE.md thinking protocol).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs a git clone of the remote repo (git clone https://github.com/yourusername/claude-env-sync.git) during runtime and that repository contains config/CLAUDE.md which the sync script installs as the global prompt (directly controlling agent instructions), so this is a required runtime dependency that injects external prompt content.
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 19, 2026, 06:31 PM