Skills
skills/endorlabs/skills-ideas/endor-setup/Gen Agent Trust Hub

endor-setup

Fail

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Fetches and executes the Node Version Manager (nvm) installation script directly from its official GitHub repository using a piped shell command.\n
  • Evidence: curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash\n- [REMOTE_CODE_EXECUTION]: Downloads and executes a setup script from NodeSource to configure system repositories for Node.js installation, utilizing elevated privileges.\n
  • Evidence: curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -\n- [REMOTE_CODE_EXECUTION]: Uses npx to dynamically download and execute the endorctl package from the npm registry for version checking and as a background MCP server.\n
  • Evidence: npx -y endorctl --version and the mcpServers configuration in settings.json.\n- [COMMAND_EXECUTION]: Employs the sudo command to install system-level packages through the apt package manager.\n
  • Evidence: sudo apt-get install -y nodejs\n- [EXTERNAL_DOWNLOADS]: Retrieves installation scripts and binaries from external domains including raw.githubusercontent.com, deb.nodesource.com, and the npm registry.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 21, 2026, 04:26 AM