Skills
skills/autumnsgrove/groveengine/cicd-automation/Snyk

cicd-automation

Fail

Audited by Snyk on Feb 16, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). The Codecov and GitHub badge URLs are low-risk documentation assets, but the direct install.sh on https://astral.sh (used with curl | sh) is a high-risk pattern because it downloads and executes a shell script from an external/unverified domain and could deliver malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The GitHub Actions workflow runs "curl -LsSf https://astral.sh/uv/install.sh | sh" during job execution, which fetches and executes remote code at runtime and is relied upon to provide the uv tool used by subsequent steps, so the URL https://astral.sh/uv/install.sh is a risky runtime dependency.
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 11:59 PM