kdocs
Warn
Audited by Snyk on Jun 17, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime self-updates: running
kdocs-cli call check_skill_updatecan return aninstructioncontaining a ZIP download link which the agent is then instructed to download, unzip and replace the Skill directory (i.e. a remote ZIP URL such as the returned zip download link like https://.../skill-update.zip), and the provided setup scripts may also reinstall from a CDN at runtime — these remote artifacts would be fetched and can replace/execute agent code, so they constitute a runtime external dependency that directly controls/changes agent behavior.
Issues (1)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata