motion
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The SKILL.md file contains two instances of remote code execution where scripts are downloaded and piped directly to bash: 'curl -sSL https://canifi.com/skills/motion/install.sh | bash' and 'curl -sSL https://canifi.com/install.sh | bash'. This is a severe security risk.
- [EXTERNAL_DOWNLOADS]: The skill relies on executable content from 'canifi.com', which is not a trusted organization or well-known service. Executing unverified third-party scripts from the internet is a high-risk activity.
- [COMMAND_EXECUTION]: The skill uses a custom tool 'canifi-env' to store and manage sensitive environment variables like 'MOTION_API_KEY' and 'SERVICE_PASSWORD'. Because this tool is installed via an insecure remote script, the security and privacy of these credentials cannot be guaranteed.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/skills/motion/install.sh, https://canifi.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata