apix

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). The URL hosts a remote install script (commonly used with curl | sh) on an uncommon domain (apix.sh) rather than an established package manager or verified vendor site — executing such remote shell scripts without inspecting their contents is high-risk and often used to distribute malware.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the skill fetches and ingests third‑party vaults and specs (e.g., default registry remote https://github.com/apix-sh/vault.git and configurable source remotes in config, plus parse_spec which uses ureq::get to fetch http(s) OpenAPI specs), and agents are instructed to read route/frontmatter via apix peek/show which apix uses to resolve URLs, methods, and auth for apix call — meaning untrusted public content can directly influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The apix CLI fetches remote OpenAPI specs and vault registries at runtime (e.g., the default registry URL https://github.com/apix-sh/vault.git and any http(s) URL passed to apix import which parser.parse_spec() fetches), and the fetched markdown/OpenAPI content is rendered and presented to agents — meaning remote content can directly control agent-visible instructions.