eval-recipes-runner
Fail
Audited by Snyk on Mar 14, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Mixed risk: the astral.sh "install.sh" is a direct remote shell script (high-risk to curl|sh), the GitHub URL under "rysweet" is an untrusted/unknown repo that would be cloned and pip-installed (can execute arbitrary code), while the microsoft/eval-recipes repo is legitimate and low-risk; overall the untrusted installer and repo make this a potentially hazardous download source.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill instructs fetching and executing remote code at runtime (required for operation), specifically the install script curl -LsSf https://astral.sh/uv/install.sh | sh and git clones that pull executable code (https://github.com/microsoft/eval-recipes.git and https://github.com/rysweet/...git which is subsequently checked out and pip-installed), so these external URLs directly deliver and run code the skill depends on.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata