thermo-nuclear-code-quality-review
Fail
Audited by Snyk on Jul 10, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Both URLs point to a personal GitHub repository (kashyab12/uni-thermos) that the package's update script will clone and run install/update actions from, making it an untrusted upstream for automated installs and a potential malware distribution vector.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The package includes a self-update script that fetches and executes an unverified remote install.sh (clear supply-chain / remote-code-execution risk) and a reviewer script that constructs prompts containing repo diffs and sends them to an external Codex service (possible sensitive-data exfiltration), including an option to run the external job in the background.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The update-self.sh script clones/fetches the remote git repo https://github.com/kashyab12/uni-thermos.git at runtime and later runs that checkout's install.sh, meaning fetched remote code is executed.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata