object-to-3d

Fail

Audited by Snyk on Jul 8, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.70). These URLs include a remote install script fetched-and-run (curl|sh) and direct GitHub release binary downloads from a third-party account — both are high-risk vectors for distributing executables and merit caution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The setup and preview steps fetch and execute remote code at runtime—e.g. SKILL.md suggests piping https://astral.sh/uv/install.sh to sh, scripts/setup_env.sh downloads/extracts the Brush binary from https://github.com/ArthurBrussee/brush/releases/download/... and runs npm install, and scripts/preview.sh invokes npx -y "@playcanvas/splat-transform@${ST_VERSION}" which pulls and executes remote npm code—so these URLs are runtime dependencies that download and run code.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 8, 2026, 03:28 AM
Issues
2
Security Audit — snyk — object-to-3d