Skills
NYC
skills/firebase/agent-skills/firebase-basics/Gen Agent Trust Hub

firebase-basics

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill contains a piped shell command that downloads and executes a script directly from a remote source. This pattern is dangerous because the script content is not verified before execution and the source is not in the trusted list.
  • Evidence: curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash in SKILL.md.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires downloading several external tools and libraries from sources outside the trusted scope.
  • Evidence: Global installation of firebase-tools via npm and the download of nvm-windows from a GitHub release link.
  • [COMMAND_EXECUTION] (MEDIUM): The documentation suggests the use of administrative privileges (sudo) to resolve installation errors.
  • Evidence: Mention of sudo in the 'Common Issues' section of SKILL.md for npm install -g failures.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 07:56 PM