artifact-sbom-publisher
Warn
Audited by Snyk on Jun 20, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The workflow includes a runtime command that fetches and executes remote code via curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh, which clearly retrieves and runs external code as a required step.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (low risk: 0.30). The workflow includes a shell install that writes to /usr/local/bin (curl | sh -s -- -b /usr/local/bin) which modifies system-level files, but it does not request sudo, ask to bypass security mechanisms, or create new user accounts—so it poses a low but non-zero risk.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata