skills/levnikolaevich/claude-code-skills/ln-645-open-source-replacer/Snyk

ln-645-open-source-replacer

Warn

Audited by Snyk on Apr 24, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill's mandatory workflow (Phase 3 "Alternative Search" and Phase 4 "Security Gate") explicitly uses WebSearch, Context7, Ref queries and WebFetch (including raw.githubusercontent.com) to retrieve open/public third-party content which the agent reads and uses to select and score replacements and CVE status, so untrusted web content can directly influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs at runtime to fetch mandatory "shared" reference files if missing via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}, and those fetched documents (contracts/templates/mandatory reads) directly control the agent's behavior and prompts.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 24, 2026, 07:48 AM

Issues

2