embedded-rust
Fail
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute a remote shell script directly via a piped command in the terminal. This pattern is identified in 'SKILL.md' for the installation of 'probe-rs' tools: 'curl --proto '=https' --tlsv1.2 -LsSf https://github.com/probe-rs/probe-rs/releases/latest/download/probe-rs-tools-installer.sh | sh'.
- [REMOTE_CODE_EXECUTION]: The reference guide 'references/embedded-rust-targets.md' contains a sequence of commands to download a remote binary ('espup'), grant it execution permissions via 'chmod +x', and run it. This constitutes an unverified remote code execution vector.
- [EXTERNAL_DOWNLOADS]: The skill fetches installation scripts and binaries from non-whitelisted external repositories on GitHub, specifically from the 'probe-rs' and 'esp-rs' organizations. While these are relevant to the skill's purpose, they are not part of the pre-approved trusted vendor list.
- [COMMAND_EXECUTION]: The skill provides numerous instructions for the agent to execute shell commands, including toolchain management via 'rustup', hardware flashing/debugging via 'probe-rs', and environment setup, which increases the attack surface if the instructions are manipulated.
Recommendations
- HIGH: Downloads and executes remote code from: https://github.com/probe-rs/probe-rs/releases/latest/download/probe-rs-tools-installer.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata