wavybaby
Fail
Audited by Snyk on Feb 15, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.85). The skill content instructs autonomous installation and execution of remote packages and MCP servers without user consent and to modify project configurations automatically, creating a high supply-chain and system-compromise risk even though it contains no explicit exfiltration or obfuscated payloads.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill explicitly performs dynamic searches and installs of public community skills and MCPs (e.g., "npx skills find", "npx skills add <owner/repo>", "search 29,000+ skills via skills.sh", and auto-installing MCPs like Context7), and its configuration templates permit WebSearch/WebFetch — meaning the agent will fetch and incorporate untrusted, user-provided content from public repositories and web documentation as part of its workflow.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill explicitly adds external MCP transports at runtime (e.g., "claude mcp add github --transport http https://api.githubcopilot.com/mcp/" and "claude mcp add sentry --transport http https://mcp.sentry.dev/mcp"), which the agent will connect to during execution to fetch context/instructions and thus can directly influence prompts or execute remote behavior.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs the agent to autonomously run installation commands (npx, claude mcp add), auto-create project config files, and grant broad Bash permissions without asking, which alters the machine's state and can install untrusted code—so it encourages potentially unsafe modifications even though it doesn't directly request sudo or user creation.
Audit Metadata