Skills
skills/happenings-community/requests-and-offers/Deployment Automation/Snyk

Deployment Automation

Warn

Audited by Snyk on Feb 24, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's workflows and scripts explicitly fetch and parse content from public third-party sources (e.g., GitHub releases via "gh release view"/"gh run view" in scripts/build-verification.sh and many YAML workflows, plus HTTP checks to external bootstrap/signal URLs via curl in scripts/validate-config.sh and verify_download_links), and those untrusted remote assets/URLs are read and used to make deployment/verification decisions, so they could carry indirect prompt-injection content that materially affects agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The workflow includes runtime “uses:” references that fetch and execute external GitHub Action code the CI relies on (for example: matthme/import-codesign-certs@5565bb656f60c98c8fc515f3444dd8db73545dc2), so external repository code is pulled and run during skill execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 24, 2026, 02:45 PM