▥AGENT LAB: SKILLS — FEB 26 NYCNYC

skills/martinholovsky/claude-skills-generator/Auto-Update Systems Expert/Snyk

Auto-Update Systems Expert

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). These URLs include direct downloadable installer archives (tar.gz, zip containing NSIS installer), an insecure http:// endpoint, and several malformed or templated/example hosts — all of which are plausible vectors for malware if the domains or artifacts are untrusted or signatures are not strictly enforced.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). During runtime the skill's updater fetches manifests and installer artifacts from endpoints like https://releases.myapp.com/{{target}}/{{arch}}/{{current_version}} (and concrete artifact URLs such as https://releases.myapp.com/MyApp_1.2.0_x64-setup.nsis.zip), which are downloaded and installed (i.e., execute remote code) and the update flow depends on these endpoints.

Audit Metadata

Risk Level

CRITICAL

Analyzed

Feb 15, 2026, 08:40 PM