tooluniverse-cs-setup

Warn

Audited by Snyk on Jul 1, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.95). Outsider free text is fetched at runtime from the public GitHub ToolUniverse repository tarball (REPO_TARBALL), extracted as skills/**/SKILL.md, and then its body text is concatenated into the staged skill files via tu_build_research_bundle() (LLM-readable markdown under out/workflows/*.md and out/SKILL.md).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The tu_build_research_bundle() helper downloads the ToolUniverse repo tarball at runtime from https://codeload.github.com/mims-harvard/ToolUniverse/tar.gz/refs/heads/ (plus the ref), parses SKILL.md workflow files from that tarball, and writes/publishes those workflows into the skill — so fetched remote content directly controls agent instructions and is required for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs the agent to create environments and install packages and—most importantly—use host.skills.edit/delete/publish to write and publish a new skill (including kernel.py) into the host's skill catalog, which persistently modifies the agent's execution environment and can introduce arbitrary code, so it meaningfully changes machine state even though it does not request sudo or system-file edits.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 1, 2026, 07:56 PM
Issues
3
Security Audit — snyk — tooluniverse-cs-setup