skill-builder
Warn
Audited by Snyk on Mar 14, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs agents to fetch and ingest untrusted third-party content — e.g., "skill-seekers scrape --url https://docs.example.com/", "skill-seekers github --repo facebook/react", and the "Unified Multi-Source"/ACQUIRE pipeline in SKILL.md and references/advanced-workflows.md — and then to read/enhance/package that content as part of its workflow, so external webpages, GitHub repos, and PDFs can directly influence subsequent tool actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's installation docs instruct running fetched remote code at runtime (e.g., python3 -c "$(curl -fsSL https://raw.githubusercontent.com/yusufkaraaslan/Skill_Seekers/main/setup.py)" and curl -LsSf https://astral.sh/uv/install.sh | sh), which directly executes external code and is presented as a required install-time dependency.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata