init-tauri-app
Fail
Audited by Snyk on Jun 14, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). These are GitHub release URLs (including a direct downloads path and an updater manifest) pointing at a personal/unknown account (glebis); GitHub releases can legitimately host installers but are a common vector for distributing unsigned/malicious binaries when the repository or publisher is not verified, so treat them as moderate–high risk unless you can verify the repo's trust and release artifacts.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs remote-install commands during runtime such as "npm create tauri-app@latest " (fetches and executes the official create-tauri-app package from the npm registry) and the MCP entry in assets/core/mcp.json that runs "npx -y @hypothesi/tauri-mcp-server" (npx fetches and executes that package at runtime), so the scaffold relies on fetching and executing remote code during its operation.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata