just
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The core purpose of this skill is to run commands from a 'justfile', which can include destructive operations like 'rm -rf' (seen in 'python-venv.just') or execution of local scripts (e.g., './scripts/deploy.sh').
- EXTERNAL_DOWNLOADS (MEDIUM): Examples demonstrate the use of various package managers ('npm', 'pip', 'bun', 'uv') to download and install external code. This poses a supply chain risk if the 'justfile' points to malicious or unverified packages.
- REMOTE_CODE_EXECUTION (MEDIUM): The skill supports 'shebang recipes' which allow execution of embedded Python, Node, or Bun scripts. These scripts can perform network operations, such as the GitHub API request in 'uv-python.just', which could be used for data exfiltration or downloading further payloads.
- DATA_EXFILTRATION (LOW): The tool can automatically load environment variables via 'set dotenv-load', which often contain sensitive credentials. Combined with the network capabilities of embedded scripts, this creates a potential exfiltration vector.
Audit Metadata