mkdocs
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): File
references/diagrams.mdcontains the shell commandcurl -fsSL https://d2lang.com/install.sh | sh. This is a piped remote execution pattern that downloads and executes an unverified script directly in the shell, representing a critical security risk.\n- [COMMAND_EXECUTION] (MEDIUM): The skill documents the MkDocshooksfeature inreferences/configuration.md, which allows for the execution of arbitrary Python scripts likemy_hooks.pyduring the site generation process. If an agent builds a repository from an untrusted source, this could lead to local code execution.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The documentation suggests installing various third-party plugins and usingpip install $(mkdocs get-deps)(inreferences/plugins.md) to dynamically resolve and install dependencies, which increases the surface area for supply chain attacks.
Recommendations
- AI detected serious security threats
Audit Metadata