gpc-setup
Fail
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions to install the CLI tool using
curl -fsSL https://raw.githubusercontent.com/yasserstudio/gpc/main/scripts/install.sh | bash. Executing remote code via a pipe to bash is a critical risk as it allows for arbitrary commands to be run on the host machine without user verification of the script content. - [EXTERNAL_DOWNLOADS]: The installation process involves downloading a shell script from a remote GitHub repository (
yasserstudio/gpc) which is not categorized as a trusted organization or well-known service. - [COMMAND_EXECUTION]: The skill includes instructions to modify the user's shell configuration files (e.g.,
~/.bashrc,~/.zshrc,~/.bash_completion) by appending commands for shell completion. Modifying shell startup scripts is a form of persistence that can be abused to execute malicious code every time a new shell session is started. - [COMMAND_EXECUTION]: The
scripts/detect_gpc.mjsfile uses theexecSyncfunction to execute multiple shell commands on the system, such asgpc --versionandgpc auth status --json, in order to detect the installation state of the GPC tool.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/yasserstudio/gpc/main/scripts/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata