video-edit

Fail

Audited by Snyk on Jun 17, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). Most URLs are benign (Google Fonts, jsdelivr, reputable GitHub orgs like mlc‑ai and SYSTRAN, HeyGen CDN, Nodesource) but there is a direct raw.githubusercontent.com install.sh referenced and the README recommends curl | bash of that script (and other raw scripts) — executing an unattended shell script from a user repo is a common malware vector, so the set includes a suspicious download/execution path.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.70). The skill's editor and composition HTML files load and execute external JavaScript at runtime (for example GSAP from https://cdn.jsdelivr.net/npm/gsap@3.14.2/dist/gsap.min.js), which will be fetched and run during editing/rendering and is relied on by the templates for animations — this is a runtime fetch that executes remote code.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 17, 2026, 07:42 AM
Issues
2
Security Audit — snyk — video-edit