iblai-vibe-component

Warn

Audited by Snyk on Jul 7, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The required workflow includes fetching BRAND.md from a public GitHub raw URL at runtime (outsider-authored web content), which would be readable prose ingested into the agent/LLM context to guide generation.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The iblai update-gallery command fetches the latest @iblai/web-containers from the npm registry (https://registry.npmjs.org/@iblai/web-containers) and rewrites the SKILL.md at runtime, meaning remote package content is fetched and injected into the skill file (references/update-gallery-command.md:20-26; examples: 7-12), which directly controls the skill documentation/state.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 7, 2026, 01:01 PM
Issues
2
Security Audit — snyk — iblai-vibe-component