htx/futures-market

Fail

Audited by Snyk on Jun 8, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.90). The GitHub releases link directly serves an executable install.sh intended to be run via curl|bash (high-risk delivery of code from a repo of uncertain trust), while the huobiapi.github.io URL is just documentation; overall the presence of a remotely hosted install.sh to pipe into a shell makes this set suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). The skill’s runtime calls HTX public market endpoints (e.g., GET /linear-swap-ex/market/detail/merged, .../history/kline, .../depth) and ingests the returned JSON fields as readable text into the agent context, which is outsider-authored free-form data from a third-party exchange.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 8, 2026, 03:35 AM
Issues
3
Security Audit — snyk — htx/futures-market