skills/dnyoussef/ai-chrome-extension/when-managing-github-projects-use-github-project-management/Snyk
when-managing-github-projects-use-github-project-management
Warn
Audited by Snyk on Jun 26, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The skill’s runtime workflow fetches GitHub issue bodies including comments via
scripts/github-api.sh fetch-issue --include-comments true, and those issue/comment texts are authored by non-operating users (outsider) and are ingested into the LLM context for classification/triage.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill invokes the remote package at runtime via "npx claude-flow@alpha" (e.g., npx claude-flow@alpha swarm init and npx claude-flow@alpha hooks ...) which will fetch and execute code from the npm registry that directly controls agent orchestration and hooks, so it is a runtime external dependency that executes remote code.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata