Skills
skills/resolved-sh/rstack/rstack-audit/Gen Agent Trust Hub

rstack-audit

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: Uses curl to fetch JSON data from the operator's subdomain (e.g., resolved.sh) and specific discovery endpoints like /.well-known/agent-card.json. These are standard data retrieval operations for the skill's purpose.
  • [EXTERNAL_DOWNLOADS]: The skill makes requests to smithery.ai and skills.sh to check if the user's profile is listed in external registries. These requests are limited to checking HTTP status codes and do not download or execute remote scripts.
  • [DATA_EXPOSURE]: Uses the RESOLVED_SH_API_KEY environment variable to authenticate requests to the resolved.sh API. This is a secure practice for managing user credentials rather than hardcoding them.
  • [REMOTE_CODE_EXECUTION]: An automated alert flagged a curl command to smithery.ai. Analysis confirms this is a false positive; the command uses -o /dev/null to discard the body and only retrieves the HTTP status code for presence verification, with no path to execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 03:20 AM