trivy
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill executes a remote script using the command
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh. This 'pipe to shell' pattern is a major security risk as it allows unverified code to run immediately. - [COMMAND_EXECUTION] (HIGH): Piped shell execution allows the remote script to perform any command available to the current user, potentially leading to full system compromise.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill pulls content from
raw.githubusercontent.comfor theaquasecurityorganization. Because this organization is not on the pre-approved list of trusted GitHub organizations, the download is considered untrusted.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata