JBCT
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill documentation (README.md) suggests verifying the installation via a CLI tool, and the metadata contains a command that pipes a remote shell script directly into the shell (
curl -fsSL https://raw.githubusercontent.com/siy/jbct-cli/main/install.sh | sh). This is a classic RCE vector where a third party controls the code executed on the user's machine. - EXTERNAL_DOWNLOADS (MEDIUM): The skill references an external repository (
siy/jbct-cli) which is not on the trusted sources list. Downloading and executing content from unverified GitHub users poses a significant security risk. - COMMAND_EXECUTION (LOW): The skill README.md provides standard commands for directory creation (
mkdir -p) and file copying (cp -r), which are benign in isolation but contribute to the execution of the skill's setup.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/siy/jbct-cli/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata