video-to-splat

Fail

Audited by Snyk on Jul 8, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). The bundle includes a remote install script piped to sh (https://astral.sh/uv/install.sh) and direct downloads of a prebuilt executable from a personal GitHub release (ArthurBrussee/brush) which are high-risk vectors for running unverified binaries on your machine.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). High-confidence: setup_env.sh downloads and extracts a Brush binary from https://github.com/ArthurBrussee/brush/releases/... and the COLMAP vocab tree from https://github.com/colmap/colmap/releases/download/3.11.1/... (used for --loop-detection), and convert_splat.sh runs npx -y "@playcanvas/splat-transform@…" which fetches and executes code from the npm registry at runtime — these steps fetch remote code that is executed and are required for training/conversion.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 8, 2026, 03:28 AM
Issues
2
Security Audit — snyk — video-to-splat