web3-solidity-audit-mcp
Fail
Audited by Snyk on Mar 17, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). Mixed signals: while foundry.paradigm.xyz and localhost endpoints are legitimate/benign, the skill explicitly fetches and executes a binary and a raw install script from a small/unknown GitHub repo (Cyfrin/aderyn) via direct release downloads and curl|bash, which are common vectors for distributing malicious executables if the repo isn't trusted.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill's install/CI steps fetch and execute remote installers required at runtime (e.g., "curl -L https://foundry.paradigm.xyz | bash", "curl -L https://raw.githubusercontent.com/Cyfrin/aderyn/dev/cyfrinup/install | bash", and the GitHub release download URL pattern "https://github.com/Cyfrin/aderyn/releases/download/.../aderyn-*.tar.xz" used in the workflow), which download and run remote code the skill depends on.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata