Skills
skills/straydragon/my-claude-skills/lib-slint-expert/Gen Agent Trust Hub

lib-slint-expert

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis

================================================================================

🔴 VERDICT: HIGH

This skill is designed to provide expert guidance on Slint GUI development. However, it explicitly requests and is granted highly privileged tools, specifically 'Bash', 'Write', and 'Edit'. The 'Bash' tool allows the AI agent to execute arbitrary shell commands on the user's system. This capability, combined with 'Write' and 'Edit' access, creates a significant security vulnerability. A malicious or compromised agent could leverage these permissions to execute unauthorized code, modify critical system files, or exfiltrate sensitive data.

Total Findings: 3

🔴 HIGH Findings: • Privilege Escalation / Arbitrary Command Execution

  • SKILL.md:10: allowed-tools: Read, Write, Edit, Glob, Grep, Bash The skill explicitly requests the 'Bash' tool, which grants the AI agent the ability to execute arbitrary shell commands. It also requests 'Write' and 'Edit' tools, allowing file system modification. This is a critical security risk as it enables potential arbitrary code execution and system manipulation.

🔵 LOW Findings: • Unverifiable Dependency / External Download (Trusted Source)

  • GETTING_STARTED.md:59: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh Instructions for the user to download and execute a script from 'sh.rustup.rs' to install Rust. While 'rustup.rs' is a trusted source for Rust installation, direct execution of downloaded scripts carries inherent risk. This is an instruction for the user, not an action performed by the skill itself. • Unverifiable Dependency / External Download (Trusted Source)
  • GETTING_STARTED.md:68: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh Instructions for the user to download and execute a script from 'rustwasm.github.io' to install 'wasm-pack'. 'github.io' is generally considered a trusted domain for project pages. This is an instruction for the user, not an action performed by the skill itself.

ℹ️ TRUSTED SOURCE References: • https://sh.rustup.rs

  • GETTING_STARTED.md:59: User instruction to install Rust toolchain from a trusted source. • https://rustwasm.github.io
  • GETTING_STARTED.md:68: User instruction to install wasm-pack from a trusted source.

================================================================================

Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 12:13 PM