spec-stack
Fail
Audited by Snyk on Jun 17, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Mixed risk: the list contains a direct third‑party shell installer (https://astral.sh/uv/install.sh) and several tools hosted under individual GitHub accounts (Q00, HKUDS, akillness) which are common vectors for distributing executables via npx/pip/installer scripts and should be treated as suspicious until verified; only github/spec-kit (github org) looks obviously official.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The installer and examples perform runtime fetch-and-execute of remote code (high-confidence): scripts/install.sh installs a package from git+https://github.com/github/spec-kit.git@${SPEC_KIT_REF} via pip/uv/pipx and the docs show runtime installs like npx skills add https://github.com/akillness/jeo-skills and a suggested curl -LsSf https://astral.sh/uv/install.sh | sh, all of which fetch and execute remote code required for the skill.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata