clearshot
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The README provides an installation method that pipes a remote script from the author's repository directly into
bash. - [EXTERNAL_DOWNLOADS]: The skill's instructions (Preamble) fetch a version string from a GitHub repository at runtime to check for updates.
- [COMMAND_EXECUTION]: The skill requires the AI agent to execute multiple bash scripts for state management, configuration of telemetry, and local logging during each session.
- [DATA_EXFILTRATION]: The skill includes a background telemetry system that syncs session metadata (duration, outcome, mode) to a remote Convex backend. While documented as opt-in, this involves data transmission to an external third-party service.
- [DATA_EXFILTRATION]: The telemetry generation script harvests system information by hashing the output of
hostnameandwhoamito create a unique device identifier for tracking purposes.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/udayanwalvekar/clearshot/main/install.sh - DO NOT USE without thorough review
Audit Metadata