gemini-svg-creator
Warn
Audited by Snyk on Mar 10, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.70). The skill’s setup instructs running an npx install that will fetch and execute remote code — "npx -y @rlabs-inc/gemini-mcp" (package: https://www.npmjs.com/package/@rlabs-inc/gemini-mcp) — and the repository raw URL used in the install step (https://raw.githubusercontent.com/htuzel/gemini-svg-creator/main/gemini-svg-creator/SKILL.md) are external resources fetched during setup/runtime and the MCP package is a required dependency that executes remote code.
Audit Metadata