htx/spot-market
Fail
Audited by Snyk on Jun 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). The installer URL is a direct download of an install.sh from a GitHub release (intended to be run via curl | bash), which can execute arbitrary code and is risky unless you have verified the repository and maintainer; the huobiapi.github.io docs page looks legitimate, but the presence of an unverified shell installer makes the overall download source potentially suspicious.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill is largely read-only (public market queries) but includes an installation command that pipes a remote script to bash (curl ... | bash), which encourages executing external code that can modify the host system — though it does not explicitly request sudo, modify system configs, or create users.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata