skills/ylz201/keyvault/keyvault-skill/Snyk

keyvault-skill

Fail

Audited by Snyk on Mar 4, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). The URL is a direct git install from an unverified GitHub user (ylz201) which can deliver arbitrary code via pip/setup scripts and therefore is potentially malicious unless the repository, author reputation, and code are verified.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill instructs installing and running code fetched from git+https://github.com/ylz201/keyvault.git (pip install git+https://github.com/ylz201/keyvault.git and then python -m keyvault.mcp_server), which causes remote code to be fetched and executed as a required dependency.

Audit Metadata

Risk Level

CRITICAL

Analyzed

Mar 4, 2026, 12:08 PM