Skills
skills/mauromedda/agent-toolkit/trivy/Gen Agent Trust Hub

trivy

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Remote Code Execution (CRITICAL): The skill executes code directly from a remote URL using a piped shell command: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh.
  • Evidence: Detection of curl | sh pattern targeting an untrusted GitHub repository.
  • Risk: This pattern is highly susceptible to supply chain attacks. If the remote script is compromised, the attacker gains full control over the agent's environment. The repository 'aquasecurity' is not included in the list of Trusted External Sources.
  • External Downloads (HIGH): The skill fetches content from raw.githubusercontent.com without integrity checks (like checksums) or version pinning (using a specific commit hash instead of 'main').
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 17, 2026, 06:41 PM