Skills
skills/qwibitai/nanoclaw/setup/Gen Agent Trust Hub

setup

Fail

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Fetches and executes scripts by piping 'curl' output directly into the shell from 'nodesource.com', 'get.docker.com', and 'onecli.sh'. While some are well-known services or vendor resources, this pattern bypasses script integrity verification.
  • [REMOTE_CODE_EXECUTION]: The skill implements self-modifying logic by instructing the agent to rewrite its own 'SKILL.md' and 'diagnostics.md' files to remove sections if a user opts out of telemetry.
  • [COMMAND_EXECUTION]: Utilizes 'sudo' to modify system-level configuration files such as '/etc/wsl.conf' and to adjust permissions on the Docker socket using 'setfacl'.
  • [COMMAND_EXECUTION]: Persistently modifies the user environment by appending 'PATH' adjustments to shell profile files including '/.bashrc' and '/.zshrc'.
  • [DATA_EXFILTRATION]: Collects system metadata such as OS platform, architecture, and Node.js version, and transmits it to 'posthog.com'. This action is documented and requires explicit user confirmation.
  • [CREDENTIALS_UNSAFE]: Contains a hardcoded project API key for the PostHog telemetry service within the 'diagnostics.md' file.
Recommendations
  • HIGH: Downloads and executes remote code from: https://get.docker.com - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 26, 2026, 09:50 PM