Skills
skills/encoredev/skills/encore-go-getting-started/Gen Agent Trust Hub

encore-go-getting-started

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill directs users to execute shell and PowerShell scripts directly from a remote server without verification.
  • Evidence: curl -L https://encore.dev/install.sh | bash (Linux/macOS)
  • Evidence: iwr https://encore.dev/install.ps1 | iex (Windows)
  • Risk: Piped execution of remote content is a high-risk pattern that allows an untrusted source to run arbitrary code on the host system. The source encore.dev is not in the trusted list provided in the security skill instructions.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill relies on third-party software and Homebrew taps from a non-whitelisted organization.
  • Evidence: brew install encoredev/tap/encore
  • Note: Per [TRUST-SCOPE-RULE], since encoredev is not a trusted GitHub organization, this remains a high-severity finding for external dependency risk.
  • [COMMAND_EXECUTION] (MEDIUM): The skill facilitates the execution of local CLI tools that manage development servers and project configuration.
  • Evidence: encore app create, encore run, and encore db shell.
  • Risk: While these are functional requirements, they expand the attack surface if the downloaded binaries are compromised.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://encore.dev/install.sh - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 15, 2026, 10:41 PM