Skills
NYC
skills/josiahsiegel/claude-plugin-marketplace/shellcheck-cicd-2025/Gen Agent Trust Hub

shellcheck-cicd-2025

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill provides instructions to download the ShellCheck binary directly from an external GitHub repository (koalaman/shellcheck). While this is the official repository for the tool, it is not on the predefined list of trusted organizations. This finding is downgraded to MEDIUM as it is central to the skill's primary purpose.
  • [COMMAND_EXECUTION] (HIGH): The installation guide includes commands that use sudo for system-level operations, such as moving binaries to /usr/local/bin/ and installing packages via apt-get. These actions involve privilege escalation. This finding is downgraded to MEDIUM as it is required for the intended tool installation.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The GitHub Action and pre-commit configuration reference external third-party repositories (ludeeus/action-shellcheck and shellcheck-py/shellcheck-py) which are not within the trusted scope defined for this analysis.
  • [COMMAND_EXECUTION] (LOW): The skill includes a Git hook script that modifies the .git/hooks/pre-commit file. While this is a form of persistence/hooking, it is the explicitly stated goal of that section.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:36 PM