skills/ortus-boxlang/skills/boxlang-matchbox/Snyk

boxlang-matchbox

Fail

Audited by Snyk on Apr 15, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.90). This is a direct raw.githubusercontent.com link to an install.sh script — piping or running unknown shell scripts from a GitHub repo is high-risk unless you thoroughly verify the repo, author, and contents (raw .sh from an untrusted or new repo can distribute malware).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill includes an installation command that fetches and immediately executes remote code via curl -sSL https://raw.githubusercontent.com/ortus-boxlang/matchbox/master/install/install.sh | bash, so it runs external code at install/runtime.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

Apr 15, 2026, 02:43 PM

Issues

2