Skills
NYC
skills/boshu2/agentops/update/Gen Agent Trust Hub

update

Fail

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill's primary function is to download content from an untrusted GitHub user ('boshu2'). This user is not on the list of trusted entities, making the source unverified.
  • [REMOTE_CODE_EXECUTION] (HIGH): The command npx skills@latest add boshu2/agentops --all -g downloads a package from the npm registry and immediately uses it to install and potentially execute scripts from a remote repository. This constitutes remote code execution (RCE) via an untrusted third party.
  • [COMMAND_EXECUTION] (MEDIUM): The skill executes commands with global impact (-g flag) and suggests manual file copying (cp -r) into the sensitive ~/.claude/skills/ directory. This bypasses standard safety checks and allows for persistent modification of the agent's environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 19, 2026, 08:55 PM