analyze-experiment

Fail

Audited by Snyk on Jun 16, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.90). The cli.promptingco.com/install.sh URL is suspicious because it is a direct shell-install script (commonly abused to deliver malware) hosted on a different/unknown domain than the main site (promptingcompany.com); the root website itself looks like a normal informational page but should be independently verified before trusting its installer.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). The workflow ingests outsider-authored free text from the tpc CLI outputs—specifically full execution logs/transcripts and error-category log content (e.g., tpc sim run logs <run-id> and tpc sim experiment results <experiment-id> --error-category "<category>"), which can include arbitrary agent/user-generated text not authored by the operating user.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill's prerequisites and INSTALL.md instruct installing a required CLI via a remote-install command that fetches and executes code at runtime: "curl -fsSL https://cli.promptingco.com/install.sh | bash", and the skill relies on that CLI as a required dependency.

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 16, 2026, 05:42 PM
Issues
3
Security Audit — snyk — analyze-experiment