higgsfield-product-photoshoot
Fail
Audited by Snyk on Jun 14, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The three CDN JPEGs are ordinary image files, but the raw.githubusercontent.com link points to an install.sh intended to be run (curl|sh) from an external GitHub account—executing remote shell scripts without review is a high-risk distribution vector for malware.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's bootstrap step instructs users to run a remote install script that is fetched and executed at runtime via "curl -fsSL https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh | sh", which downloads and runs remote code and is required if the CLI is not present.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata