taleb-perspective
Fail
Audited by Snyk on May 30, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These URLs are primarily personal GitHub repos and personal sites (an unknown user "alchaincyf") with installation commands (npx/git clone) — there are no direct .exe/installer links but running/unpacking code from an unvetted GitHub user or executing npx install scripts can run arbitrary code, so it is a plausible malware distribution vector and warrants caution.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). 该Skill的运行时工作流在SKILL.md中要求“必须使用工具(WebSearch等)获取真实信息”,而WebSearch会抓取公共网页/外部来源的可读文本并进入LLM上下文,属于“公共web内容在运行时被读取”的外部自由文本注入路径。
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W021
MEDIUMHidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
Audit Metadata