monskill
Warn
Audited by Snyk on Jun 30, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill set instructs agents to fetch markdown at runtime (e.g., raw GitHub URLs such as https://raw.githubusercontent.com/therealharpaljadeja/monskills/main/concepts/references/async-execution.md and skills hosted at https://skills.devnads.com), and those fetched files are injected into the agent context to drive its behavior — a runtime external dependency that directly controls agent prompts.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill set explicitly includes crypto/blockchain transaction capabilities: the "Wallet" skill describes agent wallet management, Safe multisig creation, deploying smart contracts and performing on-chain actions via Safe multisig, and proposing transactions to a Safe Transaction Service with EIP-712 signatures. The "Wallet Integration" and "Addresses" skills further provide wallet/auth integrations (embedded MPC wallets, external wallet connect) and canonical onchain addresses. These are specific tools for managing wallets, signing and submitting blockchain transactions — i.e., direct financial execution.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata