varlock
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent or user to install a CLI tool using a highly insecure method:
curl -sSfL https://varlock.dev/install.sh | sh. This pattern downloads and executes code from a remote server without any verification of its integrity or content, which is a significant security risk as the script or the server could be compromised. - [EXTERNAL_DOWNLOADS]: The skill relies on fetching software from
https://varlock.dev, which is not a recognized trusted service or organization in the provided security policy. - [COMMAND_EXECUTION]: The skill facilitates the execution of various shell commands to load, validate, and inject secrets into application processes (e.g.,
varlock load,varlock run). While intended for security, this mechanism relies on a binary installed through an unverified remote script.
Recommendations
- HIGH: Downloads and executes remote code from: https://varlock.dev/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata