Skills
skills/levnikolaevich/claude-code-skills/ln-832-bundle-optimizer/Snyk

ln-832-bundle-optimizer

Warn

Audited by Snyk on May 12, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs fetching missing shared files via WebFetch from the public raw GitHub URL (https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}) and marks several shared/references/*.md files as "MANDATORY READ", so untrusted third-party content from GitHub would be ingested and could materially influence build/optimization decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill specifies that if the local shared/ directory is missing it will fetch required "MANDATORY READ" reference files at runtime from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}, meaning remote content is loaded during execution and those documents appear to directly drive agent behavior and summary/contracts used by the skill.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 12, 2026, 06:29 AM
Issues
2