Skills
skills/therealharpaljadeja/monskills/monskill/Gen Agent Trust Hub

monskill

Warn

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The vercel-deploy/SKILL.md file instructs the agent to download an external shell script from https://skills.devnads.com/vercel-deploy/deploy.sh and execute it locally using bash. This pattern bypasses static inspection of the skill's code at load time.
  • [DATA_EXFILTRATION]: The deploy.sh script is designed to archive the local project (using git ls-files) and upload the resulting tarball to an external API endpoint (https://claude-skills-deploy.vercel.com/api/deploy) to facilitate deployment to Vercel. This involves sending the entire source code to infrastructure managed by the skill author.
  • [COMMAND_EXECUTION]: The skill requires the agent to execute several high-risk commands, including:
  • Modifying script permissions via chmod +x.
  • Decrypting local encrypted keystores to retrieve private keys for signing transactions via cast wallet decrypt-keystore.
  • Installing Node.js dependencies at runtime using npm install --no-save viem qrcode-terminal.
  • [CREDENTIALS_UNSAFE]: The repository contains a .env.example file with a hardcoded database connection string template (postgresql://user:password@host/dbname?sslmode=require). While these are placeholders, they match patterns for hardcoded credentials in configuration files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 27, 2026, 02:47 PM