kagi-enrich
Warn
Audited by Snyk on Mar 27, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). This skill calls Kagi's enrichment API (see main.go: fetchEnrich using https://kagi.com/api/v0/enrich/web and /news) and returns titles/snippets/URLs from Kagi's Teclis/TinyGem indexes (SKILL.md explicitly cites independent blogs, Hacker News/Reddit-like discussions and non-mainstream news), i.e., ingesting untrusted, user-generated third‑party content that the agent reads and could influence subsequent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The wrapper script kagi-enrich.sh fetches and installs a pre-built executable at runtime from the GitHub release endpoints (e.g. https://api.github.com/repos/joelazar/kagi-skills/releases/latest and https://github.com/joelazar/kagi-skills/releases/download/${TAG}/${BINARY}), makes it executable and execs it, which is downloading and executing remote code as a required dependency.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata