skills/cooloo9871/my-awesome-skill/cnpg-skill/Snyk

cnpg-skill

Warn

Audited by Snyk on Mar 29, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill's install step explicitly tells the operator to run "kubectl apply -f https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/releases/cnpg-1.24.0.yaml", which causes the agent/environment to fetch and apply public GitHub-hosted YAML (untrusted third-party content) that directly influences deployment actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill's recommended install command uses a raw GitHub URL (https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/releases/cnpg-1.24.0.yaml) which kubectl apply -f would fetch at runtime and directly install/execute remote Kubernetes manifests (i.e., code/configuration), making it a required external dependency for the skill.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Mar 29, 2026, 09:01 AM

Issues

2