htx/spot-market

Fail

Audited by Snyk on Jun 8, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). The installer URL is a direct download of an install.sh from a GitHub release (intended to be run via curl | bash), which can execute arbitrary code and is risky unless you have verified the repository and maintainer; the huobiapi.github.io docs page looks legitimate, but the presence of an unverified shell installer makes the overall download source potentially suspicious.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill is largely read-only (public market queries) but includes an installation command that pipes a remote script to bash (curl ... | bash), which encourages executing external code that can modify the host system — though it does not explicitly request sudo, modify system configs, or create users.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 8, 2026, 03:35 AM
Issues
2
Security Audit — snyk — htx/spot-market