Skills
skills/vaayne/cc-plugins/mcp-tokenflux-images/Gen Agent Trust Hub

mcp-tokenflux-images

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill instructions include a command to install the mh CLI by piping a remote shell script directly into the shell (curl -fsSL ... | sh). This pattern is highly dangerous as the script content is not verified before execution and originates from a non-trusted GitHub repository (vaayne/mcphub).
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill depends on a script and tool hosted on an unverified third-party GitHub account. This source is not part of the trusted scope, increasing the risk of supply chain attacks or malicious code injection.
  • [COMMAND_EXECUTION] (MEDIUM): The skill workflow relies on the execution of the mh CLI tool via the system shell. While this is necessary for the skill's functionality, combined with the untrusted installation method, it poses a significant risk to the host environment.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/vaayne/mcphub/main/scripts/install.sh - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 01:09 PM