task-master-install
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (CRITICAL): The skill contains a troubleshooting command
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bashwhich downloads and executes a script from an untrusted source (nvm-sh) directly into the shell. - Privilege Escalation (HIGH): Installation instructions include the use of
sudofor package management (e.g.,sudo apt install nodejs npm), which can lead to system-wide compromise if the installation process is intercepted or the script is malicious. - External Downloads (MEDIUM): The skill installs the
task-master-aipackage from npm and a Docker imagedatalayer/jupyter-mcp-server:latest, both of which are from organizations not listed in the trusted sources.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata