holoscan-install-conda
Warn
Audited by Snyk on Jun 18, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). The skill’s runtime workflow fetches outsider-authored free text from the public GitHub “examples” repo via
curl(e.g.,hello_world.py,video_replayer.py, andvideo_replayer.yamlfromraw.githubusercontent.com), which is then read/modified as text and executed by the agent’s environment.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads and executes remote content at runtime — e.g., it wget's and then runs the Miniforge installer from https://github.com/conda-forge/miniforge/releases/latest/download/Miniforge3-Linux-x86_64.sh and curl's raw GitHub example scripts from https://raw.githubusercontent.com/nvidia-holoscan/holoscan-sdk/v${SDK_VER}/examples which are then run with python, so fetched external content is executed and relied upon.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata