using-openspend-cli
Fail
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a piped execution pattern where a script is downloaded from 'https://openspend.ai/install' and immediately executed via the shell. This pattern is found in the 'SKILL.md' installation instructions and within the 'scripts/install.sh' file.
- [EXTERNAL_DOWNLOADS]: The skill retrieves software components from 'openspend.ai' and a Homebrew tap owned by 'promptingcompany'. While these appear to be vendor-owned resources, they represent external dependencies fetched at runtime.
- [COMMAND_EXECUTION]: The skill executes multiple shell commands to interact with the 'openspend' CLI, including 'openspend auth login', 'openspend dashboard policy init', and 'openspend update', which involve system-level configuration and network communication.
Recommendations
- HIGH: Downloads and executes remote code from: https://openspend.ai/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata