skills/heyitsaamir/teams.ts-skills/teams-sdk-project/Snyk

teams-sdk-project

Fail

Audited by Snyk on Mar 11, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). The GitHub URL points to a release tarball from an individual/unvetted account (installing arbitrary .tgz bypasses trusted registries and can run malicious install scripts) and the ngrok-style domain is a transient personal tunnel that can host untrusted services, so together they represent a higher-than-normal risk for distributing malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill instructs installing the teams2 CLI from a remote tarball (npm install -g https://github.com/heyitsaamir/teamscli/releases/latest/download/teamscli.tgz), which downloads and installs remote executable code that the skill relies on at runtime and thus can execute remote code.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

Mar 11, 2026, 08:45 AM

Issues

2