affiliate-check

Fail

Audited by Snyk on Jun 14, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). Most links are to well-known sites (GitHub, Google, YouTube, Product Hunt, RapidAPI, Apify, openaffiliate.dev) and documentation, but the package includes instructions to run remote install scripts (e.g., curl -fsSL https://bun.sh/install | bash), build/run unverified binaries (./setup, tools/dist/affiliate-check), and references many small/unvetted GitHub repos and scraper endpoints — making this a potentially risky download/execute scenario if followed without careful code review.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill's setup instructs running a remote installer via shell (curl -fsSL https://bun.sh/install | bash), which is fetched and executed during setup/runtime to install a required Bun dependency, so it can execute remote code on the host and is therefore a high-confidence runtime risk.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 14, 2026, 11:55 AM
Issues
2
Security Audit — snyk — affiliate-check