fabric
Warn
Audited by Snyk on Mar 11, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests untrusted, user-generated third‑party content — e.g., fetching YouTube transcripts via "Step 4: Process YouTube videos" with fabric -y and ingesting arbitrary webpages via examples like "curl -s https://example.com/article | fabric -p summarize" (and also pulls community patterns with fabric -u) — and processes that content as part of its workflow, so such content could influence tool outputs and next actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). Fabric's install step executes a remote script via curl -fsSL https://raw.githubusercontent.com/danielmiessler/fabric/main/scripts/installer/install.sh | bash, and the tool also fetches pattern files from the GitHub repo at runtime that directly control prompts, so the skill relies on externally-fetched executable code and prompt content.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata