building-inferencesh-apps
Fail
Audited by Snyk on Jul 7, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The astral.sh links are direct installers (.sh and .ps1) hosted on a small/non-obvious domain and are referenced to be piped into sh/PowerShell—this is a high-risk pattern for malware distribution compared with the other listed, trusted/official sources.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The docs contain explicit install commands that download-and-execute remote scripts required for the toolchain (e.g., curl -fsSL https://cli.inference.sh | sh and curl -LsSf https://astral.sh/uv/install.sh | sh, plus https://fnm.vercel.app/install and https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh piped to bash), so remote content is fetched and executed as a required setup step.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata