htx/funding-rate
Fail
Audited by Snyk on Jun 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The links point to a GitHub repo plus a direct releases download of install.sh (and the README even suggests curl ... | bash); while GitHub is a common host, running a remote shell script from an account that isn’t a verified official vendor is high-risk because it can execute arbitrary/malicious code without review.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The SKILL.md installation step runs a remote script via "curl -fsSL https://github.com/htx-exchange/htx-skills-hub/releases/latest/download/install.sh | bash -s -- funding-rate", which downloads and executes remote code as part of installing the skill (remote content therefore controls execution).
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata