looper-looper
Fail
Audited by Snyk on Jul 3, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). The raw.githubusercontent.com links host install/uninstall shell scripts (direct runnable code) which are high-risk to execute without review, while the rest are a GitHub repo, a documentation/placeholder domain (code.example.com), and a webhook endpoint referenced in the docs — none are obfuscated redirects or obvious typosquats, but the presence of direct .sh installers means this set should be treated as potentially risky until the repo and scripts are verified.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running remote install/uninstall scripts fetched at runtime via curl and piped to sh (https://raw.githubusercontent.com/nexu-io/looper/main/scripts/install.sh and https://raw.githubusercontent.com/nexu-io/looper/main/scripts/uninstall.sh), which executes remote code and is relied on for installing/removing the looper CLI.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata