opencron
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/install-system.jsuses a dangerous pattern to download and immediately execute shell scripts from external URLs (specifically from NodeSource and NVM) usingcurl | bash. - [REMOTE_CODE_EXECUTION]: The
scripts/smart-interface.jsfile dynamically generates Node.js script files in thetasks/directory based on descriptions provided in user prompts. These generated scripts are then executed by the system's task scheduler, which can be exploited to run unauthorized code. - [COMMAND_EXECUTION]: Numerous scripts, including
install.js,install-system.js, andsmart-interface.js, utilizechild_process.execSyncto run shell commands. This includes performing actions with elevated privileges viasudoand managing system processes withpm2. - [EXTERNAL_DOWNLOADS]: The skill is designed to download and install the
opencron-systempackage globally or locally from the NPM registry during its setup process. - [COMMAND_EXECUTION]:
scripts/config.jscontains a suspicious call to an external Python script located at a relative path outside the skill's own directory (trast-mechanism/scripts/safe_copy.py), which may not exist or be verifiable in all environments.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata