Skills
skills/curiouslearner/devkit/onboarding-helper/Gen Agent Trust Hub

onboarding-helper

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [Remote Code Execution] (CRITICAL): The skill uses a dangerous pattern to execute code directly from the internet.
  • Evidence: Scanner detected curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash.
  • Analysis: Piped execution (curl | bash) allows a remote repository to execute arbitrary commands on the host machine. The source repository nvm-sh is not included in the predefined trusted sources list, making this a critical vulnerability.
  • [External Downloads] (HIGH): The skill fetches executable content from an external GitHub URL.
  • [Command Execution] (HIGH): Direct invocation of the bash shell to execute external content poses a high risk to system integrity.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 04:57 AM