Skills
skills/flagos-ai/skills/install-stack-flagos/Gen Agent Trust Hub

install-stack-flagos

Fail

Audited by Gen Agent Trust Hub on Apr 15, 2026

Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads source code from GitHub and a vendor-specific PyPI registry (resource.flagos.net). It utilizes ghfast.top as a mirror for GitHub; this service has been flagged as suspicious by automated scanners and acts as a third-party intermediary for code downloads.
  • [REMOTE_CODE_EXECUTION]: The skill performs installations using pip install and make on code fetched from external repositories, leading to the execution of remote code.
  • [COMMAND_EXECUTION]: The execution flow utilizes docker exec and docker cp to manipulate the container environment. Internal scripts use subprocess.run to execute system commands for hardware and network detection.
  • [REMOTE_CODE_EXECUTION]: The validation script scripts/validate_packages.py uses importlib.import_module() to dynamically load modules, which can be an attack vector if module names are not strictly controlled.
  • [SAFE]: The skill uses the Tsinghua University PyPI mirror, a recognized academic mirror service.
Recommendations
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Apr 15, 2026, 03:34 AM