skills/higgsfield-ai/skills/higgsfield-soul-id/Snyk

higgsfield-soul-id

Fail

Audited by Snyk on May 4, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). This URL is a direct link to a shell install script on raw.githubusercontent.com intended to be run via "curl | sh"; while GitHub's raw domain is legitimate, executing an unreviewed remote .sh from a non-official/unknown repository is high-risk because it can run arbitrary commands — inspect the script and verify the repo before running.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's bootstrap step runs remote code at runtime via "curl -fsSL https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh | sh", which fetches and immediately executes a script required to install the CLI, so it directly executes external code.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

May 4, 2026, 04:34 PM

Issues

2