skills/ollygarden/skills/ollygarden-cli/Snyk

ollygarden-cli

Fail

Audited by Snyk on May 18, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.80). Yes — the instruction to curl a raw GitHub URL and pipe it to sh is a high-risk pattern that executes remote code (potential malware), even though the other listed URLs (app settings, webhook example, staging/internal API hosts) are non-executable or internal/placeholder endpoints.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill contains a runtime install command that curls and pipes a remote script to the shell (curl -fsSL https://raw.githubusercontent.com/ollygarden/ollygarden-cli/main/install.sh | sh), which fetches and directly executes remote code and is presented as the required install path for the CLI.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

May 18, 2026, 09:13 AM

Issues

2

Security Audit — snyk — ollygarden-cli