ln-742-precommit-setup
Warn
Audited by Snyk on Apr 12, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). SKILL.md explicitly instructs the agent to fetch missing files via WebFetch from the public raw GitHub URL https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}, meaning the agent will ingest and act on untrusted, user-published content (hook scripts/configs) that can materially influence tool behavior and next actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches runtime files from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path} (if shared/ is missing) and includes pre-commit repo references (https://github.com/astral-sh/ruff-pre-commit, https://github.com/compilerla/conventional-pre-commit, https://github.com/pre-commit/pre-commit-hooks) which pre-commit will download and run as hooks, meaning remote content is fetched at runtime and can execute code in the project.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata