dotnet-new-app-slnx
Warn
Audited by Snyk on Apr 24, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The skill explicitly fetches and ingests public third‑party content that can influence actions—it reads the .NET releases index from https://raw.githubusercontent.com/dotnet/core/refs/heads/main/release-notes/releases-index.json to build target-framework choices and calls the NuGet V3 service (https://api.nuget.org/v3/index.json) / package index URLs via scripts/resolve-package-versions.ps1 to resolve package versions, and those fetched values directly determine tool behavior and generated outputs.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches https://raw.githubusercontent.com/dotnet/core/refs/heads/main/release-notes/releases-index.json at runtime to compute the target_framework quick-pick choices, meaning remote content directly controls the agent's prompts/choices.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata