skills/supercent-io/skills-template/fabric/Snyk

fabric

Warn

Audited by Snyk on Mar 11, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly ingests public third-party content — e.g., Step 4's YouTube transcript fetching (fabric -y "https://youtube.com/watch?v=VIDEO_ID") and Step 6's web-search capability (fabric -p analyze_claims --search) — which are untrusted/user-generated sources that the agent reads and acts on (summarize/extract) and thus could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's install instructions run remote code at setup time using "curl -fsSL https://raw.githubusercontent.com/danielmiessler/fabric/main/scripts/installer/install.sh | bash", which fetches and immediately executes a remote shell script and is presented as the required installer for the skill.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Mar 11, 2026, 11:11 AM

Issues

2