paper-spine-update
Fail
Audited by Snyk on May 27, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). These URLs point to an unknown GitHub repository and its raw manifest/archive which directly deliver code and an updater that will download, extract, and replace local skill files and modify user settings (including hiding the skill), so they should be treated as high risk unless the repository and maintainer are independently verified.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The updater fetches a remote manifest and archive at runtime (DEFAULT_MANIFEST_URL "https://raw.githubusercontent.com/WUBING2023/PaperSpine/main/dist/paperspine_version.json" and DEFAULT_ARCHIVE_URL "https://github.com/WUBING2023/PaperSpine/archive/refs/heads/main.zip") and then downloads and installs the repository contents into local skill directories, which directly replaces code that controls agent prompts/behavior.
Issues (2)
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata