skills/nomadamas/k-skill/bunjang-search/Snyk

bunjang-search

Warn

Audited by Snyk on Apr 8, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs using the bunjang-cli to search and "item get" on 번개장터 (a public marketplace with user-generated listings) and to bulk-export/AI-export those listings, meaning the agent will fetch and read untrusted third‑party content (search results, item descriptions) that can influence subsequent actions like favoriting/chatting or exports.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs remote code at runtime via npx (e.g., npx --yes bunjang-cli) which fetches and executes the package from the npm URL https://www.npmjs.com/package/bunjang-cli (and linked GitHub https://github.com/pinion05/bunjangcli), so the external content is required and executes remote code.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 8, 2026, 12:59 PM

Issues

2