get-started
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill contains commands that pipe remote content directly into a shell for execution, specifically for installing development tools like 'uv' and 'nvm'. This pattern is extremely dangerous as it bypasses local inspection and allows a remote server to execute arbitrary code on the host system. The sources involved (astral.sh and nvm-sh) are not on the specified Trusted GitHub Organizations or Repositories list, which sustains the CRITICAL severity level.
- EXTERNAL_DOWNLOADS (LOW): The documentation recommends installing additional skills from organizations such as 'anthropics' and 'vercel-labs' using 'npx skills add'. These findings are downgraded to LOW severity because these organizations are explicitly listed as trusted sources.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh, https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata