skills/morning-start/book-skills/moonbit-skills/Snyk

moonbit-skills

Fail

Audited by Snyk on May 7, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.70). Mostly documentation pages on project domains, but the skill explicitly instructs piping a remote install.sh into bash (https://www.moonbitlang.com/install.sh) and the sites are not well-known/trusted — executing unknown remote shell scripts is a high-risk distribution vector for malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill repeatedly instructs running a remote installer via "curl -fsSL https://www.moonbitlang.com/install.sh | bash", which fetches and executes remote code at runtime and is presented as a required installation step, so it directly executes external code (https://www.moonbitlang.com/install.sh).

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

May 7, 2026, 03:04 PM

Issues

2