minecraft-modpack-server
Warn
Audited by Snyk on May 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The SKILL.md "Download & Inspect the Pack" step explicitly instructs fetching an arbitrary serverpack.zip via wget ("") and to inspect startserver.sh and mods/, meaning the workflow ingests untrusted third-party modpack content (e.g., CurseForge/Modrinth or arbitrary URLs) that the agent is expected to read and use to determine loader, Java version, and launch behavior, so that content could materially influence actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The wget command (wget -O serverpack.zip "") downloads a remote server pack at runtime which the skill then instructs to inspect and run (e.g., startserver.sh / installer jars), meaning fetched content can execute remote code and is a required dependency.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes explicit sudo commands (apt installs and ufw firewall changes) and other system-level modifications (installing packages, opening ports, setting cron jobs) that instruct the agent to change the host machine's state with elevated privileges.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata