Skills
skills/aradotso/trending-skills/llmfit-hardware-model-matcher/Gen Agent Trust Hub

llmfit-hardware-model-matcher

Fail

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides instructions for a 'Quick install' that pipes a remote script directly into the shell using curl -fsSL https://llmfit.axjns.dev/install.sh | sh. This pattern is extremely dangerous as it executes unverified code with the user's local shell permissions.
  • [EXTERNAL_DOWNLOADS]: The skill initiates connections to and downloads executable scripts from an untrusted domain (llmfit.axjns.dev) that is not part of the recognized trusted vendor list.
  • [COMMAND_EXECUTION]: Python code examples within the skill utilize subprocess.run to execute the llmfit binary. While the examples use constant strings for subcommands, the inclusion of variable parameters like model_name and use_case without explicit sanitization creates a surface for potential command injection if these variables were to be populated by untrusted user input in a larger system.
Recommendations
  • HIGH: Downloads and executes remote code from: http://localhost:8787, https://llmfit.axjns.dev/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 17, 2026, 08:50 AM