htx/ta-master
Fail
Audited by Snyk on Jun 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). This URL is a direct link to an install.sh release asset on a GitHub repo and is explicitly used with "curl | bash" in the skill — while GitHub hosting is common, executing an unverified shell script from a third‑party repo is a common malware delivery vector unless the org/repo is known and verified.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's installation command pipes a remote shell script into bash (curl -fsSL https://github.com/htx-exchange/htx-skills-hub/releases/latest/download/install.sh | bash -s -- ta-master), which fetches and executes remote code at runtime and is presented as the required installer.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata