producthunt
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The SKILL.md file contains multiple instructions for the user to download and execute scripts via
curl | bash. This is an extremely dangerous pattern that allows the remote server to execute arbitrary code on the user's machine with the permissions of the current shell. - Evidence:
curl -sSL https://canifi.com/skills/producthunt/install.sh | bash - Evidence:
curl -sSL https://canifi.com/install.sh | bash - [COMMAND_EXECUTION]: The skill requires the installation and use of a custom CLI tool (
canifi-env) to manage its environment. Since this tool is installed via an untrusted remote script, all subsequent commands executed by this tool or on its behalf are suspect. - [CREDENTIALS_UNSAFE]: The skill explicitly asks the user to provide sensitive credentials including
PRODUCTHUNT_PASSWORDandSERVICE_PASSWORD. While the documentation claims these are stored locally, the use of untrusted installation scripts creates a high risk that these credentials could be intercepted or exfiltrated during or after the setup process. - [DATA_EXFILTRATION]: The skill mentions handling 2FA codes and notifying the user via iMessage. This implies the underlying scripts may attempt to access sensitive system databases (like the macOS Messages database) which is a significant privacy and security risk.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/install.sh, https://canifi.com/skills/producthunt/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata