rtk
Fail
Audited by Snyk on Jun 17, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Although the hosts are GitHub (legitimate), these URLs include direct raw .sh installer links, a forked repo, and unresolved ${REPO} placeholders—patterns (curl|sh, raw script execution, forks/unknown accounts) that are commonly used to distribute malware unless you manually audit the script and verify the upstream release signatures.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's installer is invoked at runtime and explicitly runs remote code (curl -fsSL https://raw.githubusercontent.com/akillness/rtk/refs/heads/master/install.sh | sh) and also supports cargo install --git https://github.com/akillness/rtk, both of which fetch and execute external code that the skill relies on.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata