querying-markdown

Fail

Audited by Snyk on Jun 22, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). The keepachangelog and mqlang book URLs are benign documentation, but the installer downloads a prebuilt binary directly from a personal GitHub releases URL (github.com/harehare/mq/releases/...), which — while hosted on a reputable platform — is an executable from an individual/small account and should be treated as potentially risky unless you verify the source, checksum/signature, and inspect the repository/source build; direct downloads of executables from unknown GitHub accounts are a common malware vector.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The install script fetches and installs a remote executable at runtime via curl from https://github.com/harehare/mq/releases/download/${MQ_VERSION}/${ASSET} (or via gh release download from harehare/mq), which downloads and places a binary that will be executed as a required dependency, so this is a runtime fetch of executable code.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill tells the user to run an install script that drops a binary into /usr/local/bin (a system directory), which modifies system state and typically requires elevated/sudo privileges, so it pushes the agent to perform privileged state changes.

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 22, 2026, 06:02 AM
Issues
3
Security Audit — snyk — querying-markdown