kdocs

Warn

Audited by Snyk on Jun 17, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime self-updates: running kdocs-cli call check_skill_update can return an instruction containing a ZIP download link which the agent is then instructed to download, unzip and replace the Skill directory (i.e. a remote ZIP URL such as the returned zip download link like https://.../skill-update.zip), and the provided setup scripts may also reinstall from a CDN at runtime — these remote artifacts would be fetched and can replace/execute agent code, so they constitute a runtime external dependency that directly controls/changes agent behavior.

Issues (1)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 17, 2026, 12:01 AM
Issues
1
Security Audit — snyk — kdocs