motion
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The file
SKILL.mdinstructs users to execute a remote script by piping the output of acurlcommand directly intobash(e.g.,curl -sL "http://api.motion.dev/registry/skills/motion-audit?token=YOUR_TOKEN" | bash). This practice allows for unverified code to run with the permissions of the local shell. - [REMOTE_CODE_EXECUTION]: The
Motion Studio MCP Configurationusesnpxto execute a package directly from a remote tarball URL (https://api.motion.dev/registry.tgz?package=motion-studio-mcp). Executing remote tarballs via npx bypasses standard registry security checks and enables remote code execution. - [EXTERNAL_DOWNLOADS]: The skill provides installation instructions for the
motion-pluspackage using a direct URL to a remote archive (https://api.motion.dev/registry.tgz) rather than the official npm registry, introducing a dependency on an unverified external source.
Recommendations
- HIGH: Downloads and executes remote code from: http://api.motion.dev/registry/skills/motion-audit?token=YOUR_TOKEN - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata