install-stack
Warn
Audited by Snyk on Mar 25, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and installs code from public GitHub repositories and PyPI (e.g., SKILL.md Step 3 uses "git clone ${GITHUB_PREFIX}/FlagOpen/FlagGems" and other ${GITHUB_PREFIX}/... repos and pip install with PIP_INDEX, and scripts/detect_network.py probes GitHub/PyPI), so it fetches and executes untrusted, user-hosted third‑party content that is then inspected/imported and used to decide gate/next actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime git clones from ${GITHUB_PREFIX} (e.g. https://github.com/flagos-ai/FlagCX or the mirror https://ghfast.top/https://github.com/flagos-ai/FlagCX) and pip installs from remote indexes (notably https://resource.flagos.net and PyPI https://pypi.org/simple/), which are fetched during execution and then built/installed (make, pip install -e), meaning remote code is retrieved at runtime and executed as a required dependency.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata