cli-productivity
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (CRITICAL): The skill uses piped remote script execution from untrusted sources, which allows for arbitrary code execution on the user's system.
- Evidence:
curl -sS https://raw.githubusercontent.com/ajeetdsouza/zoxide/main/install.sh | bash - Evidence:
curl -sS https://starship.rs/install.sh | sh - Persistence Mechanisms (HIGH): The skill instructs users to modify shell startup profiles to maintain access across sessions.
- Evidence: Modification of
~/.bashrcviaeval "$(zoxide init bash)"and sourcing~/.fzf.bash. - Dynamic Execution (MEDIUM): Use of
evalon shell-generated output executes code created at runtime. - Evidence:
eval "$(zoxide init bash)"in the Quick Start section.
Recommendations
- HIGH: Downloads and executes remote code from: https://starship.rs/install.sh, https://raw.githubusercontent.com/ajeetdsouza/zoxide/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata