signal-config

Fail

Audited by Snyk on Jun 16, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 1.00). These URLs point to a direct remote install script (curl | bash) hosted on cli.promptingco.com while the vendor site is promptingcompany.com — running unsigned shell scripts from an unfamiliar/secondary domain (domain mismatch) is a high-risk distribution pattern that could deliver malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill's workflow requires the tpc CLI for validation and explicitly instructs running a remote installer via "curl -fsSL https://cli.promptingco.com/install.sh | bash", which fetches and executes remote code and is relied on at runtime.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 16, 2026, 05:44 PM
Issues
2
Security Audit — snyk — signal-config