tempo-docs

Warn

Audited by Snyk on Jul 6, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). Skill workflow includes runtime web fetching via read_web_page (e.g., https://tempo.xyz/developers/llms.txt and arbitrary .md docs URLs), which ingests outsider-authored free text from Tempo’s public web pages into the agent’s LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The tempo-wallet skill explicitly instructs runtime fetching and execution of remote install code via "curl -fsSL https://tempo.xyz/install | bash" (and also directs fetching https://tempo.xyz/SKILL.md for exact setup instructions), which downloads remote content that is executed or used to control agent behavior as a required setup step.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 6, 2026, 12:30 PM
Issues
2
Security Audit — snyk — tempo-docs