artifact-sbom-publisher
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill includes a 'curl | sh' command to download and execute an installation script from 'raw.githubusercontent.com/anchore/syft/main/install.sh'. Piping remote content directly to a shell is a dangerous pattern that executes unverified code.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Multiple third-party GitHub Actions from organizations like CycloneDX, Anchore, and Aqua Security are utilized. These organizations are not included in the 'Trusted GitHub Organizations' list, representing unverifiable supply chain dependencies.
- [COMMAND_EXECUTION] (LOW): The skill performs shell-based operations for packaging and metadata generation. While expected for build automation, these patterns represent potential command injection surfaces if GitHub context variables (e.g., ref_name, workflow) were to be manipulated.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/anchore/syft/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata