finhay-market
Warn
Audited by Snyk on Apr 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The mandatory pre-flight checks (./_shared/preflight.md) require running the sync scripts (./_shared/scripts/sync.sh or sync.ps1), which fetch and install files from the public raw GitHub URL (https://raw.githubusercontent.com/finhay-pro/finhay-skills-hub/main) — a public third-party source whose contents are ingested and can change the skill's scripts/behavior and thus influence subsequent tool use.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill's sync scripts (./_shared/scripts/sync.sh and sync.ps1) fetch and write executable scripts from https://raw.githubusercontent.com/finhay-pro/finhay-skills-hub/main (and query https://api.github.com/repos/finhay-pro/finhay-skills-hub) at runtime to update/replace local skill code that is then used, meaning remote content can directly control executed code and runtime behavior.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata