shfmt-configuration
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill includes instructions to install 'shfmt' by piping a remote script directly to bash: 'curl -sS https://webinstall.dev/shfmt | bash'. This pattern is a critical security risk as it executes arbitrary code from an untrusted source without prior verification.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill references external, non-trusted sources for software installation (webinstall.dev) and pre-commit hooks (github.com/scop/pre-commit-shfmt), which are not included in the trusted organizations or repositories list, posing a supply chain risk.
Recommendations
- HIGH: Downloads and executes remote code from: https://webinstall.dev/shfmt - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata