bg-music
Fail
Audited by Snyk on Jul 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.80). The GitHub and Hugging Face links point to expected project and model repositories (low risk), but the direct shell installer https://astral.sh/uv/install.sh is a remote .sh script referenced for curl | sh installation — a high-risk pattern because executing remote installer scripts can deliver malware or escalate compromise.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill clones and runs code from an external GitHub repo (https://github.com/ace-step/ACE-Step-1.5.git via scripts/setup_env.sh) and the ACE-Step code also pulls model weights from Hugging Face at runtime (referenced https://huggingface.co/ACE-Step/Ace-Step1.5), so remote code/content is fetched and executed as a required dependency.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata