mcp-tools
Fail
Audited by Snyk on Jun 17, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These links point to third‑party npm packages and GitHub repos (and an independent project site) from individual/unfamiliar maintainers that are not major vendor pages — installing via npx or npm will run code from those authors and GitHub/npm packages with low visibility can be used to distribute malware, so treat as moderately high risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The MCPs are launched via npx (e.g., "npx -y xcodebuildmcp@latest" and "npx -y @kimsungwhee/apple-docs-mcp"), which fetches and executes remote npm package code at runtime (see https://www.npmjs.com/package/xcodebuildmcp and https://www.npmjs.com/@kimsungwhee/apple-docs-mcp), and those packages are required dependencies for the skill.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata