memos-cloud-developer

Fail

Audited by Snyk on Jun 17, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). Most links are API/documentation and benign placeholders, but the presence of raw GitHub resource URLs plus an explicit instruction to run scripts/upgrade.py that fetches and writes remote files (a supply‑chain update step) makes this set a moderate-to-high security risk because it could be used to download and execute malicious payloads.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). The required workflow runs scripts/upgrade.py, which fetches remote resources/*.md (including resources/cn/index.md / resources/en/index.md) from GitHub raw at runtime; those outsider-authored markdown files are then read and can be injected into the agent’s LLM context via the skill’s subsequent “read resources” steps.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 17, 2026, 01:53 PM
Issues
3
Security Audit — snyk — memos-cloud-developer