pueue-job-orchestration
Warn
Audited by Snyk on Apr 20, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's required installation and callback workflows explicitly fetch and execute public, user-generated content (e.g., the installation step "curl -sSL https://raw.githubusercontent.com/terrylica/rangebar-py/main/scripts/setup-pueue-linux.sh | bash" in references/installation-guide.md and webhook/ntfy curl examples in callbacks-and-scheduling.md), so the agent would ingest arbitrary third-party content at runtime that can materially change behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill includes an explicit runtime installation command that fetches and executes remote code via curl | bash (curl -sSL https://raw.githubusercontent.com/terrylica/rangebar-py/main/scripts/setup-pueue-linux.sh | bash), which directly executes external content relied on for the skill to function.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata