naval-perspective

Fail

Audited by Snyk on May 29, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). Most links are to articles, transcripts and GitHub repos, but the package/install instruction (npx skills add ...) and multiple GitHub repos from a single, not‑widely‑known user plus personal hosts (S3, bookai.top, huasheng.ai) mean these are potentially risky to run or install without vetting—there are no obvious .exe links but executing remote npm/GitHub code could deliver malware.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). 该Skill的运行时工作流要求“必须使用工具(WebSearch等)获取真实信息”,这会在运行时抓取/读取公开网页或其他外部文本并把其摘要/内容喂入LLM上下文,从而存在“外部作者自由文本→LLM上下文”的间接提示注入风险。

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

  • Hidden Unicode characters detected (1 type(s) found)

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W021
MEDIUM

Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 29, 2026, 03:20 AM
Issues
3
Security Audit — snyk — naval-perspective