unzip-crx
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONNO_CODE
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill utilizes the @tomjs/unzip-crx package from npm. This package and its author are not part of the trusted organizations list, requiring manual verification of the package content.
- COMMAND_EXECUTION (MEDIUM): The documentation in SKILL.md states that the script 'auto-installs' packages on the first run. This implies the script executes shell commands dynamically to modify the local environment, which is a high-risk behavior for AI agent skills.
- NO_CODE (LOW): The core implementation script 'scripts/unzip-crx.mjs' referenced in the documentation is missing from the provided files, preventing a complete security audit of how it handles file paths or implements the installation logic.
Audit Metadata