skills/levnikolaevich/claude-code-skills/ln-001-push-all/Snyk

ln-001-push-all

Warn

Audited by Snyk on Apr 15, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs fetching missing shared files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path} and mandates loading shared/references/ci_tool_detection.md, so it ingests untrusted public GitHub content that can influence lint/command discovery and subsequent agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill instructs that if shared/ is missing it will fetch files at runtime from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}, including the mandatory shared/references/ci_tool_detection.md which directs lint discovery and commands to run, so remote content fetched from that URL can directly control instructions and executed commands.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 15, 2026, 10:38 AM

Issues

2