iblai-vibe-local-llm
Fail
Audited by Snyk on Jul 7, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). One of the listed URLs is a direct installer shell script (https://ollama.com/install.sh) which is high-risk to run via curl | sh (privilege escalation / arbitrary code execution); the remaining URLs are either local daemon endpoints or project docs/raw GitHub files used by the skill and are not themselves external download sources.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's install flow (
install_ollama) documents running a remote installer via curl|sh — e.g. "curl -fsSL https://ollama.com/install.sh | sh" — which fetches and executes remote code at runtime, so it is a high-risk external dependency.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill requires implementing an install_ollama command and explicitly discusses an installer that writes /usr/local/bin, creates a systemd service and user via sudo (and even mentions spawning curl | sh), which are actions that modify system files and require privileged escalation.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata