smart-spawn-api

Warn

Audited by Snyk on Mar 10, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The skill issues runtime requests to ss.deeflect.com (e.g., POST https://ss.deeflect.com/api/roles/compose and GET https://ss.deeflect.com/api/pick and /api/decompose), and the responses (notably the returned "fullPrompt" and model IDs) are directly injected into agent tasks/prompts and used to spawn sub-agents, so remote content controls prompts at runtime.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 10, 2026, 03:42 PM
Security Audit — snyk — smart-spawn-api