tooluniverse-cs-setup
Warn
Audited by Snyk on Jul 1, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.95). Outsider free text is fetched at runtime from the public GitHub ToolUniverse repository tarball (
REPO_TARBALL), extracted asskills/**/SKILL.md, and then its body text is concatenated into the staged skill files viatu_build_research_bundle()(LLM-readable markdown underout/workflows/*.mdandout/SKILL.md).
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The tu_build_research_bundle() helper downloads the ToolUniverse repo tarball at runtime from https://codeload.github.com/mims-harvard/ToolUniverse/tar.gz/refs/heads/ (plus the ref), parses SKILL.md workflow files from that tarball, and writes/publishes those workflows into the skill — so fetched remote content directly controls agent instructions and is required for the skill.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs the agent to create environments and install packages and—most importantly—use host.skills.edit/delete/publish to write and publish a new skill (including kernel.py) into the host's skill catalog, which persistently modifies the agent's execution environment and can introduce arbitrary code, so it meaningfully changes machine state even though it does not request sudo or system-file edits.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata