moon
Warn
Audited by Snyk on Feb 15, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill documentation explicitly shows Moon can fetch and ingest remote, public configuration/plugins (for example the "extends: "https://raw.githubusercontent.com/.../.moon/tasks/base.yml\"" entry and external plugin URLs like "https://example.com/migrate-nx.wasm" or install scripts pulled via curl), meaning the agent would read and interpret arbitrary third‑party web content as part of its workflow.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill includes runtime commands that fetch and execute remote code (e.g., curl -fsSL https://moonrepo.dev/install/proto.sh | bash) and remote "extends" references that load YAML from URLs like https://raw.githubusercontent.com/.../.moon/tasks/base.yml at runtime to control task/config behavior, which directly executes remote code or injects instructions into the agent's runtime.
Audit Metadata