open-code-review
Warn
Audited by Snyk on Jul 2, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime fetch-and-execute steps: scripts/install.sh may run sh -c "$(curl -fsSL https://raw.githubusercontent.com/alibaba/open-code-review/main/install.sh)" (remote install script executed), the source install path does git clone "https://github.com/alibaba/open-code-review.git" and builds/executess code, and the Claude plugin setup suggests curl -o .claude/commands/open-code-review.md https://raw.githubusercontent.com/alibaba/open-code-review/main/plugins/open-code-review/commands/review.md which pulls remote command instructions that control agent behavior.
Issues (1)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata