iblai-vibe-component
Warn
Audited by Snyk on Jul 7, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The required workflow includes fetching
BRAND.mdfrom a public GitHub raw URL at runtime (outsider-authored web content), which would be readable prose ingested into the agent/LLM context to guide generation.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The iblai update-gallery command fetches the latest @iblai/web-containers from the npm registry (https://registry.npmjs.org/@iblai/web-containers) and rewrites the SKILL.md at runtime, meaning remote package content is fetched and injected into the skill file (references/update-gallery-command.md:20-26; examples: 7-12), which directly controls the skill documentation/state.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata