Skills
skills/vchirrav/owasp-secure-coding-md/sbom-syft/Gen Agent Trust Hub

sbom-syft

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The skill utilizes a highly dangerous pattern to install the 'Syft' tool by piping a remote script directly into the shell (curl ... | sh). This provides the remote host with full control to execute arbitrary code with the privileges of the agent.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads and executes software from the 'anchore' GitHub organization, which is not included in the pre-defined list of trusted organizations.
  • [COMMAND_EXECUTION] (MEDIUM): System commands (syft dir:<target-path>) are constructed using user-provided input fields. Without explicit sanitization mentioned in the skill, this presents a risk of command injection if malicious strings are provided as paths or image names.
Recommendations
  • CRITICAL: Downloads and executes remote code from untrusted source(s): https://raw.githubusercontent.com/anchore/syft/main/install.sh - DO NOT USE
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 16, 2026, 12:38 PM