skills/schlenks/superpowers-bd/beads/Snyk

beads

Fail

Audited by Snyk on Mar 14, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 1.00). The URL is a direct raw GitHub shell script from an untrusted/unknown user and the skill explicitly tells users to curl | bash it, which is a high-risk distribution vector for arbitrary/malicious code.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill instructs users at runtime to run a remote install script that is fetched and executed via curl: "curl -fsSL https://raw.githubusercontent.com/schlenks/superpowers-bd/main/scripts/setup-beads-local.sh | bash", which downloads and runs remote code (high-risk behavior).

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

Mar 14, 2026, 10:13 AM

Issues

2