nvm-install
Fail
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent and user to execute remote shell scripts by piping the output of
curlorwgetdirectly tobash. These scripts are fetched from GitHub repositories atraw.githubusercontent.com/nvm-sh/nvm/. This pattern is present in the mainSKILL.mdand several example files includinginstallation.mdandalpine-install.md.- [COMMAND_EXECUTION]: The skill involves the execution of various system-level commands, including package management operations viaapk add(which may require elevated privileges), repository cloning viagit clone, and sourcing of shell scripts via the.(source) command.- [DATA_EXFILTRATION]: The installation workflow directs the modification of shell initialization files such as~/.bashrc,~/.zshrc,~/.profile, and~/.bash_profile. These are sensitive system paths as they control the execution environment and provide a mechanism for persistent command execution in future shell sessions.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh - DO NOT USE without thorough review
Audit Metadata