autoresearch
Fail
Audited by Snyk on Jun 27, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Most links are to official documentation and Karpathy's well-known GitHub repo (low risk), but the presence of a direct shell installer URL (https://astral.sh/uv/install.sh) intended to be fetched-and-piped to sh is a high-risk indicator because executing remote install scripts without review can distribute malware.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The setup path calls curl -LsSf https://astral.sh/uv/install.sh | sh and also runs git clone https://github.com/karpathy/autoresearch during runtime (in setup.sh and the SKILL.md examples), which fetches and executes remote code that the skill relies on.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata