cli-productivity
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The automated scan confirmed the presence of piped remote execution patterns (
curl | bashandcurl | sh). Specifically, scripts fromhttps://raw.githubusercontent.com/ajeetdsouza/zoxide/main/install.shandhttps://starship.rs/install.share executed directly. These sources are not on the Trusted External Sources list, making this a critical security risk.\n- COMMAND_EXECUTION (MEDIUM): The skill utilizeseval "$(zoxide init bash)", which is a dynamic code execution pattern. If thezoxidebinary or its configuration is compromised, it can lead to arbitrary shell command execution.\n- EXTERNAL_DOWNLOADS (LOW): The skill recommends installing several third-party utilities (jq,fzf,ripgrep, etc.) viabrew. While these are popular developer tools, they represent unverified external dependencies within the context of this skill's security posture.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/ajeetdsouza/zoxide/main/install.sh, https://starship.rs/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata