Skills
skills/availproject/nexus-elements/nexus-elements-nexus-provider/Gen Agent Trust Hub

nexus-elements-nexus-provider

Warn

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user to download component definitions from a non-whitelisted domain.
  • Evidence: Registry URL https://elements.nexus.availproject.org/r/{name}.json and direct download link https://elements.nexus.availproject.org/r/nexus-provider.json.
  • [COMMAND_EXECUTION] (MEDIUM): Uses npx shadcn@latest add to fetch and process remote JSON files.
  • Evidence: The command npx shadcn@latest add https://elements.nexus.availproject.org/r/nexus-provider.json executes logic that writes remote code content directly to the local filesystem.
  • [DATA_EXPOSURE] (SAFE): The skill facilitates EIP-1193 wallet provider connections but does not show patterns of exfiltration or hardcoded credentials.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 18, 2026, 08:39 AM