Skills
skills/hopesy/skills/saury-revit/Gen Agent Trust Hub

saury-revit

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill allows shell injection in Step 4 where user-provided variables <项目名称> and <输出目录> are interpolated directly into the dotnet new command. A malicious project name containing shell metacharacters could execute arbitrary code on the host system.
  • [REMOTE_CODE_EXECUTION] (HIGH): Step 2 implements a 'download-and-execute' pattern by fetching a PowerShell script from https://dot.net/v1/dotnet-install.ps1 and running it locally. This pattern is inherently dangerous as it bypasses local software controls.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs the Saury.Revit.Template from a public registry. This template is authored by an unverified third party (hopesy), posing a supply chain risk where malicious code could be introduced into the generated project.
  • [COMMAND_EXECUTION] (MEDIUM): The skill automates the deployment of compiled DLLs to C:\ProgramData\Autodesk\Revit\Addins\2026\. This system-level write operation effectively installs software on the machine and could be leveraged for persistence if the project template is compromised.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 02:51 AM