dependency-scanning
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill provides a command to install 'Syft' by piping a script from 'https://raw.githubusercontent.com/anchore/syft/main/install.sh' directly into the shell (
curl | sh). This execution method is highly dangerous as it grants the remote source full control over the host system. The 'anchore' organization is not listed as a trusted external source. - EXTERNAL_DOWNLOADS (HIGH): The skill references downloading an executable ZIP release for 'OWASP Dependency-Check' from 'https://github.com/jeremylong/DependencyCheck/'. The repository owner 'jeremylong' is not a trusted source, making the execution of these downloaded binaries a security risk.
- COMMAND_EXECUTION (MEDIUM): The skill utilizes numerous commands that install and run various security tools across different languages (npm, pip, go, gem). While standard for development, these actions execute code from third-party ecosystems and repositories that have not been explicitly verified within the trust scope of this analysis.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/anchore/syft/main/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata