Skills
skills/feed-mob/agent-skills/install-civitai-videoflow-bundle/Snyk

install-civitai-videoflow-bundle

Warn

Audited by Snyk on Feb 27, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The skill's required workflow (Step 2: "Obtain civitai-agent-skills Repository") explicitly clones/pulls the public GitHub repo (git@github.com:feed-mob/civitai-agent-skills.git or HTTPS) or accepts a user-uploaded zip and then installs and runs skills from that repository, meaning untrusted third‑party code/content is fetched and consumed as part of the installation and can materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The skill explicitly clones the remote repository git@github.com:feed-mob/civitai-agent-skills.git (with HTTPS fallback https://github.com/feed-mob/civitai-agent-skills.git) at runtime and then installs/executes its skills via npx, so fetched remote code can directly control agent behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 03:19 PM