nodejs-development
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (CRITICAL): The skill utilizes the command
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash, which downloads and executes a script directly from a remote source. The repository 'nvm-sh' is not included in the pre-approved list of trusted GitHub organizations, making this a critical remote code execution risk according to established safety protocols. - External Downloads (MEDIUM): Automated scanners identified
logger.infoas a malicious or blacklisted URL pattern. While this is likely a false positive resulting from the scanner misinterpreting a code logging method as a URL, the presence of blacklisted indicators in an automated report warrants a MEDIUM severity investigation for potential metadata poisoning.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata