talking-head
Fail
Audited by Snyk on Jul 8, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). The package list is mostly GitHub and Hugging Face model/repos (low-risk), but the instructions include a direct curl|sh installer from astral.sh (https://astral.sh/uv/install.sh), a third‑party shell script fetched-and-executed which is a high‑risk pattern for malware distribution.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The setup script fetches and installs remote code/weights that are executed at runtime: scripts/setup_env.sh clones the JoyVASA repo from https://github.com/jdh-algo/JoyVASA.git and downloads Hugging Face repos/weights (e.g. https://huggingface.co/jdh-algo/JoyVASA, https://huggingface.co/TencentGameMate/chinese-hubert-base, https://huggingface.co/KlingTeam/LivePortrait) which animate.py imports and runs, and SKILL.md also suggests running a remote installer via curl https://astral.sh/uv/install.sh | sh — all clear evidence of required remote fetch-and-execute during setup/runtime.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata