Skills
skills/steipete/clawdis/coding-agent/Snyk

coding-agent

Fail

Audited by Snyk on May 11, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.95). This skill explicitly instructs bypassing sandboxing and approval controls (e.g., --yolo, --full-auto, --permission-mode bypassPermissions, elevated:true), requires injecting notify routing into worker prompts and mandating direct outbound "openclaw message send" completion messages, and encourages running background unsandboxed agent CLI processes and package installs—patterns that together enable easy data exfiltration, remote code execution, and supply-chain or repo-tampering backdoors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs cloning and reviewing public GitHub repos and PRs (e.g., "git clone https://github.com/user/repo.git" and the "Reviewing PRs"/"Batch PR Reviews" examples), which causes the agent to fetch and act on untrusted, user-generated third‑party code/content that can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime git fetch/clone commands (e.g., git clone https://github.com/user/repo.git) that explicitly pull remote repository contents into the worker workspace which are then used as the agent's input/context (and can cause code to be run), so a remote URL is fetched at runtime and directly controls what the coding agent sees/executes.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs using flags and modes that bypass sandboxing and permissions (e.g., Claude's --permission-mode bypassPermissions, Codex's --yolo/--full-auto, and an "elevated" host-run option), which encourages disabling security boundaries even though it doesn't directly run sudo or create users.

Issues (4)

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 11, 2026, 11:34 PM
Issues
4