chunxiang-rocket
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (CRITICAL): Detected a command that downloads a script from a remote URL and pipes it directly into the bash shell:
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash. This allows arbitrary code execution on the host machine from an unverified remote source. - External Downloads (HIGH): The skill fetches external content from
raw.githubusercontent.com. Since the source organization 'nvm-sh' is not included in the pre-defined 'Trusted Scope' list, this is classified as an untrusted download. - Command Execution (HIGH): The skill utilizes shell pipes to execute remote content, a high-risk practice that bypasses standard security validation and package management protocols.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata