lightx2v-cli
Fail
Audited by Snyk on Jun 23, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.75). These URLs point to an unfamiliar domain (x2v.light-ai.top) and include a raw GitHub install.sh intended to be piped directly to sh—executing an unreviewed remote script from an unknown repo/domain is a notable malware distribution risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The required runtime workflow for
lightx2v runsubmits a user-supplied--prompt(free-form text) into the API request body, which the skill then uses as LLM context for generation; this is outsider-authored free text because it originates from the operating user’s input rather than the skill’s bundled reference material.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's installation instruction executes a remote shell script fetched at runtime via "curl -fsSL https://raw.githubusercontent.com/ModelTC/lightx2v-studio-cli/main/install.sh | sh", which runs external code and is required to install/run the CLI.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata