skills/rheinmir/setup/orca-dispatch-reference/Snyk

orca-dispatch-reference

Fail

Audited by Snyk on Jun 12, 2026

Risk Level: CRITICAL

Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 1.00). Yes — the raw.githubusercontent.com links point to executable install scripts (curl|bash and irm|iex) from an unknown GitHub repo (directly piping remote scripts is high-risk), and the cognee1995.coteccons.vn host is a nonstandard/private subdomain used for tokened API calls (and the examples even use -k), so together they are suspicious and could be used to distribute or execute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The Caveman install commands fetch and execute remote scripts (irm https://raw.githubusercontent.com/JuliusBrussee/caveman/main/install.ps1 | iex and curl -fsSL https://raw.githubusercontent.com/JuliusBrussee/caveman/main/install.sh | bash), which run remote code and modify agent prompt/behavior.

Issues (2)

E005

CRITICAL

Suspicious download URL detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

CRITICAL

Analyzed

Jun 12, 2026, 10:21 AM

Issues

2

Security Audit — snyk — orca-dispatch-reference