skills/ortus-boxlang/skills/boxlang-runtime-matchbox/Snyk

boxlang-runtime-matchbox

Fail

Audited by Snyk on Apr 26, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.70). This is a direct raw GitHub link to an install.sh (a shell script that users are instructed to curl | bash); while hosted on raw.githubusercontent.com (which gives provenance to a GitHub repo), executing remote shell scripts without verifying the repository/maintainer is risky — moderate-to-high risk unless you trust and have audited the repo.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill's installation step runs a remote install script via curl | bash at https://raw.githubusercontent.com/ortus-boxlang/matchbox/master/install/install.sh, which fetches and immediately executes external code at runtime.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

Apr 26, 2026, 02:16 PM

Issues

2