query
Fail
Audited by Snyk on Jul 2, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The wrapper auto-downloads and installs executable archives from a remote CDN and periodically auto-updates/executes them without any cryptographic signature or checksum verification, creating a high-risk supply-chain / remote-code-execution avenue for malicious payloads.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's runtime wrapper downloads and installs a platform binary from the CDN (fetching https://agent-cdn.nutrient.io/pdf-to-markdown/LATEST and then tarballs under https://agent-cdn.nutrient.io/pdf-to-markdown//.tar.gz) and then executes that fetched binary, so it fetches and runs remote code as a required runtime dependency.
Issues (2)
E006
CRITICALMalicious code pattern detected in skill scripts.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata