skills/viktor-ferenczi/se-dev-skills/se-dev-server-code/Snyk

se-dev-server-code

Warn

Audited by Snyk on Mar 12, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). This skill's required preparation (Prepare.bat / Prepare.md) downloads and executes external resources (e.g., Invoke-WebRequest to fetch busybox.exe from frippery.org and an install script from https://astral.sh in Prepare.bat), so untrusted public web content is fetched and executed as part of the mandatory workflow and could therefore influence runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). Yes — the Prepare.bat invoked at runtime downloads and executes remote code (powershell "irm https://astral.sh/uv/install.ps1 | iex") and also fetches a required binary (https://frippery.org/files/busybox/busybox64u.exe), so external content is fetched and executed as a required dependency.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Mar 12, 2026, 04:26 AM

Issues

2