Skills
skills/jezweb/claude-skills/vite-flare-starter/Snyk

vite-flare-starter

Warn

Audited by Snyk on Mar 1, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The skill's required setup (SKILL.md Step 2 and scripts/setup.sh) explicitly git-clones a public GitHub repo (REPO_URL=https://github.com/jezweb/vite-flare-starter.git) and then runs installs/migrations (pnpm install, db migrations), so it fetches and executes untrusted, user-controlled third‑party content that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The setup script clones the remote repository at https://github.com/jezweb/vite-flare-starter.git at runtime and then runs project-local commands (pnpm install and pnpm run db:migrate:local), which will execute code from that fetched repo, so the external URL is a runtime dependency that can execute remote code.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 12:39 PM