skills/alcyone-labs/agent-skills/git-commit-writer/Snyk

git-commit-writer

Warn

Audited by Snyk on Mar 1, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill's droid workflow explicitly runs a curl from raw.githubusercontent.com to fetch and execute an external install.sh (commands/droid/git-commit-writer.md Step 1), which ingests and executes third-party GitHub-hosted content that could alter agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The droid update workflow runs curl -fsSL https://raw.githubusercontent.com/Alcyone-Labs/agent-skills/main/install.sh | bash ... at runtime when invoked with --update-skill, which fetches and directly executes remote code, creating a high-risk external dependency.

Audit Metadata

Risk Level

MEDIUM

Analyzed

Mar 1, 2026, 06:41 PM