tao-run-on-lepton
Fail
Audited by Snyk on Jun 18, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). Most links are official PyTorch/NVIDIA documentation and a bug-bounty page, but the presence of a raw GitHub-hosted shell script (raw.githubusercontent.com/...lepton_env_to_pytorch.sh) that the skill explicitly downloads and sources is a high-risk distribution vector — remote .sh scripts should be reviewed and treated as potentially malicious before executing.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill explicitly fetches and sources remote shell code at runtime via "wget -O init.sh https://raw.githubusercontent.com/leptonai/scripts/main/lepton_env_to_pytorch.sh" followed by "source init.sh", which executes remote code the job relies on for multi-node bootstrapping.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata