analyze-experiment
Fail
Audited by Snyk on Jun 16, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The cli.promptingco.com/install.sh URL is suspicious because it is a direct shell-install script (commonly abused to deliver malware) hosted on a different/unknown domain than the main site (promptingcompany.com); the root website itself looks like a normal informational page but should be independently verified before trusting its installer.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). The workflow ingests outsider-authored free text from the
tpcCLI outputs—specifically full execution logs/transcripts and error-category log content (e.g.,tpc sim run logs <run-id>andtpc sim experiment results <experiment-id> --error-category "<category>"), which can include arbitrary agent/user-generated text not authored by the operating user.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill's prerequisites and INSTALL.md instruct installing a required CLI via a remote-install command that fetches and executes code at runtime: "curl -fsSL https://cli.promptingco.com/install.sh | bash", and the skill relies on that CLI as a required dependency.
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata