Skills
skills/aaarnv/claude-skills/steve2/Snyk

steve2

Fail

Audited by Snyk on Feb 24, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E004: Prompt injection detected in skill instructions.

  • Potential prompt injection detected (high risk: 1.00). The prompt embeds explicit subagent instructions to run with mode: "bypassPermissions" (and to execute templates/background tasks), which is a deceptive directive to circumvent permissions and thus lies outside the skill's advertised, legitimate setup/execution behavior.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). The skill intentionally instructs agents to bypass permission controls, auto-install third-party packages and MCP servers, auto-grant broad tool and shell permissions, spawn background subagents, and run an autonomous loop that executes arbitrary shell/npm/git commands—behavior that enables remote code execution, supply‑chain compromise, and potential data exfiltration or credential leakage.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's required workflow (templates/phase0-equip.md and templates/phase4-loop.md) explicitly runs npx/git commands to add third-party skills and MCP servers (e.g., "npx skills add ...", "claude mcp add ...", "git clone https://github.com/...") and mandates using Context7 and "installed skills" (PROMPT.md: "USE THEM", "Query up-to-date docs before using any library"), meaning the agent will fetch and read untrusted external content (public skill repos, MCP transports, docs) that can materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The Phase 4 setup explicitly runs remote installer code at runtime via "git clone https://github.com/frankbria/ralph-claude-code.git /tmp/ralph-claude-code" followed by "./install.sh", which fetches and executes untrusted remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs subagents to run with mode "bypassPermissions" and to self-equip/install/configure tools and MCP servers (including launching services), which attempts to bypass security and modify the host state.
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 24, 2026, 10:01 AM