linter-formatter-init
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The documentation in
SKILL.mddirects the agent to execute a local Python script (python3 ~/.claude/skills/linter-formatter-init/scripts/setup.py). Since the script's source code is missing, it constitutes an unverified command execution risk with potential for arbitrary filesystem access or malicious process spawning. - EXTERNAL_DOWNLOADS (MEDIUM): The skill automates the installation of various third-party Node.js packages (e.g., Biome, Vitest, ESLint) using the Bun package manager. While these are common development tools, the automated installation of 'latest' versions by an unverified script introduces supply chain risks.
- REMOTE_CODE_EXECUTION (MEDIUM): The skill's primary function is to run a setup script that interacts with the user's project environment. Without the script's source, it is impossible to determine if it fetches additional remote code or executes unsafe dynamic commands.
Recommendations
- AI detected serious security threats
Audit Metadata