alibabacloud-agent-toolkit-install
Fail
Audited by Snyk on Jun 26, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These URLs combine legitimate Alibaba console/CDN endpoints (ram.console.aliyun.com and aliyuncli.alicdn.com) with direct downloadable installers/archives and third‑party hosted install scripts (astral.sh) that are intended to be run via pipe‑to‑shell or PowerShell — a high‑risk distribution pattern unless each script/archive is independently verified.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). This skill contains multiple runtime install commands that fetch and execute remote code — e.g., curl -LsSf https://astral.sh/uv/install.sh | sh, /bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)", the Windows installer downloads https://aliyuncli.alicdn.com/aliyun-cli-windows-$Version-amd64.zip at runtime, and npx openplugin aliyun/alibabacloud-agent-toolkit (which fetches and runs a remote package) — all of which are required install paths that execute external code.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata