setup
Fail
Audited by Snyk on Apr 30, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.85). These are direct GitHub release binary downloads from an unfamiliar account and the skill instructs piping/tarring them into a user's bin without checksum/signature or other provenance—creating a significant supply‑chain/malware risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads and installs a remote binary at runtime (e.g., via curl -L https://github.com/open-horizon-labs/repo-native-alignment/releases/latest/download/repo-native-alignment-linux-x86_64.tar.gz and/or installs from the git URL https://github.com/open-horizon-labs/repo-native-alignment), which fetches and results in execution of remote code that the skill requires to run (repo-native-alignment MCP server).
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata