Skills
skills/x-school-academy/ai-dev-swarm/dev-swarm-nodejs/Gen Agent Trust Hub

dev-swarm-nodejs

Fail

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill executes a remote shell script by piping the output of a curl command directly into bash. This pattern (curl ... | bash) is used to install nvm from https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh. This execution method lacks integrity verification (such as checksumming) before the script runs.
  • [EXTERNAL_DOWNLOADS]: For Windows users, the skill provides a direct link to download and execute an installer (nvm-setup.exe) from a personal GitHub repository (coreybutler/nvm-windows). Downloading and running executables from non-official or non-trusted organization repositories is a security risk.
  • [COMMAND_EXECUTION]: The skill uses npm install --global to install corepack@latest. Global package installations can modify system-wide configurations and involve executing code with broader permissions.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 13, 2026, 08:28 PM