ubs-scanner
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill's primary installation method involves downloading a script from an untrusted repository and piping it directly to the shell:
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/main/install.sh | bash. This allows the maintainer of that repository to execute arbitrary code on the user's machine with no verification. - Indirect Prompt Injection (HIGH): The skill is designed to ingest and analyze untrusted source code. It lacks sanitization or boundary markers for the data it processes. An attacker could embed malicious instructions within code comments or metadata of the project being scanned to manipulate the scanner's output or the agent's decision-making process in the 'quality-gate' workflow.
- Command Execution (HIGH): The skill provides the agent with instructions to execute complex command-line operations (
ubs scan . --all-rules). While functional, the lack of a trusted source for the underlying binary makes this highly dangerous. - External Downloads (HIGH): In addition to the install script, the skill references Docker images and Homebrew packages from unverified sources, expanding the attack surface.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/Dicklesworthstone/ultimate_bug_scanner/main/install.sh - DO NOT USE
- AI detected serious security threats
Audit Metadata