Skills
skills/vishalsachdev/claude-skills/microsim-matcher/Gen Agent Trust Hub

microsim-matcher

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • Remote Code Execution (HIGH): The skill uses curl to fetch commit metadata from the GitHub API for the repository dmccreary/claude-skills. Automated scanning detected that the date field from the JSON response is subsequently executed as code. Because the repository dmccreary/claude-skills is not a trusted source, an attacker with write access to that repository could potentially execute arbitrary commands on the host system by manipulating commit metadata.
  • External Downloads (MEDIUM): The skill depends on external data fetched at runtime from an untrusted third-party repository. This violates the principle of least privilege and introduces a supply-chain risk.
  • Command Execution (HIGH): The use of shell commands to process and execute dynamically retrieved web content is a high-risk pattern that bypasses security boundaries.
Recommendations
  • HIGH: Downloads and executes remote code from: https://api.github.com/repos/dmccreary/claude-skills/commits?path=skills/microsim-matcher/references/matching-criteria.md&page=1&per_page=1 - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:44 PM