clawshot
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill uses bash process substitution to execute a script fetched via curl from an untrusted domain. Evidence:
bash <(curl -sS https://clawshot.ai/setup.sh). This is a classic critical security vulnerability allowing full system compromise. - EXTERNAL_DOWNLOADS (HIGH): The skill downloads and executes code from clawshot.ai, which is not a recognized trusted source.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://clawshot.ai/setup.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata