meticulous-cli-update

Warn

Audited by Snyk on May 15, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly fetches package metadata from the public npm registry via "npm view @alwaysmeticulous/cli version" (Step 2) and then installs/updates packages with "npm install" / "npx skills update" (Steps 3 and 5), so it ingests untrusted public package data/artifacts that directly determine and influence update/install actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). This skill requires fetching and installing remote code at runtime (the npm package @alwaysmeticulous/cli via commands such as "npm install --global @alwaysmeticulous/cli@latest" and "npx skills update --project"), which will install and execute third‑party code the skill relies on and therefore can directly control behavior/execution.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 01:39 PM
Issues
2
Security Audit — snyk — meticulous-cli-update