higgsfield-marketplace-cards
Fail
Audited by Snyk on Jun 14, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 1.00). The first URL is invalid/empty and the second is a direct raw.githubusercontent.com link to an install.sh (a shell script) from an unverified GitHub account — piping or running raw shell scripts (especially from little-known repos) is high risk because they can execute arbitrary malicious code.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's bootstrap directs executing a remote installer via curl -fsSL https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh | sh which runs fetched code during setup and is a required runtime dependency for the CLI.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata