adk-scaffold
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The troubleshooting section includes a command that fetches a shell script from a remote URL and pipes it directly into the shell for execution.
- Evidence:
curl -LsSf https://astral.sh/uv/install.sh | sh - Context: This is the official installation command for the 'uv' package manager, a well-known tool from Astral.
- [EXTERNAL_DOWNLOADS]: The skill facilitates the download and execution of external tools and packages required for project scaffolding.
- Evidence: Use of
uvx agent-starter-packto run a CLI tool andpip install agent-starter-packas a fallback. - Context: The 'agent-starter-pack' is a tool associated with the Google ADK ecosystem mentioned in the skill body.
- [COMMAND_EXECUTION]: The skill provides numerous commands for the agent to execute in the local environment to manage project files, directories, and configurations.
- Evidence:
uvx agent-starter-pack create <project-name>,uvx agent-starter-pack enhance ., and various flags for system configuration.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata