Skills
skills/aradotso/trending-skills/holyclaude-ai-workstation/Snyk

holyclaude-ai-workstation

Fail

Audited by Snyk on Mar 25, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). Most listed URLs are local/placeholder endpoints (localhost, example.com) and not harmful by themselves, but the presence of an unvetted third‑party domain (ara.so) and a GitHub repo/Docker image from an unknown maintainer (CoderLuii) — plus instructions to pull/run a prebuilt container — means these sources could plausibly distribute malicious binaries/containers and should be treated as suspicious until verified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly includes a "Playwright / Headless Browser Usage" section (e.g., "Use it from Claude Code tasks or directly" and the example page.goto('https://example.com')) showing the container is configured to fetch and process arbitrary public web pages via Chromium/Playwright, which can expose the agent to untrusted third-party content that could carry instructions affecting runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). Flagging the Docker image and git repo because the skill explicitly pulls and runs the remote container image (CoderLuii/HolyClaude:latest via docker compose / docker pull) and also shows a git clone of the repository (https://github.com/CoderLuii/HolyClaude.git), both of which fetch and execute remote code that the skill relies on at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs the agent/user to run system-level commands that alter host state (docker compose up, docker run, docker build), explicitly recommends disabling sandboxing/security (security_opt: seccomp:unconfined and Chromium Playwright flags like --no-sandbox/--disable-setuid-sandbox) and even shows a sudo chown to change host file ownership, which weakens security and modifies machine state.

Issues (4)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 25, 2026, 11:48 PM
Issues
4