skills/higgsfield-ai/skills/higgsfield-soul/Snyk

higgsfield-soul

Fail

Audited by Snyk on May 4, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). The URL is a direct raw .sh script (curl | sh style) from a third‑party GitHub repo (higgsfield-ai/cli); executing such remote shell scripts is high risk because they can run arbitrary commands and the source/reputation appears unverified, so the script should be inspected locally before running.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisite installs the higgsfield CLI by running a remote script fetched and piped to sh from https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh, which downloads and executes remote code at setup and is required for the skill.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

May 4, 2026, 03:35 PM

Issues

2