meticulous-cli-update
Warn
Audited by Snyk on May 15, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly fetches package metadata from the public npm registry via "npm view @alwaysmeticulous/cli version" (Step 2) and then installs/updates packages with "npm install" / "npx skills update" (Steps 3 and 5), so it ingests untrusted public package data/artifacts that directly determine and influence update/install actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). This skill requires fetching and installing remote code at runtime (the npm package @alwaysmeticulous/cli via commands such as "npm install --global @alwaysmeticulous/cli@latest" and "npx skills update --project"), which will install and execute third‑party code the skill relies on and therefore can directly control behavior/execution.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata