skills/iofficeai/officecli/officecli-docx/Snyk

officecli-docx

Fail

Audited by Snyk on Apr 26, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). The presence of direct raw GitHub links to install.sh and install.ps1 that the skill explicitly pipes into bash/PowerShell (curl|bash and irm|iex) from an unverified GitHub repo is high-risk (remote scripts executed with no verification); the malformed https:// and the WordprocessingML schema URL are benign, but the executable install scripts make the overall source suspicious.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime installation commands that fetch and execute remote scripts (curl https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.sh | bash and irm https://raw.githubusercontent.com/iOfficeAI/OfficeCLI/main/install.ps1 | iex), which run remote code and are required to install the officecli dependency.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

Apr 26, 2026, 04:05 PM

Issues

2