grepai-quickstart
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill provides instructions to download and immediately execute shell and PowerShell scripts from a non-trusted GitHub user repository. This bypasses all security verification.
- Evidence:
curl -sSL https://raw.githubusercontent.com/yoanbernabeu/grepai/main/install.sh | shin SKILL.md. - Evidence:
irm https://raw.githubusercontent.com/yoanbernabeu/grepai/main/install.ps1 | iexin SKILL.md. - [EXTERNAL_DOWNLOADS] (HIGH): The skill recommends installing Ollama using a piped-to-shell method from an external domain (
ollama.com) that is not on the trusted whitelist. - Evidence:
curl -fsSL https://ollama.com/install.sh | shin SKILL.md. - [COMMAND_EXECUTION] (MEDIUM): The skill requires the user to run the
grepaidaemon, which indexes local source code and creates local storage files (.grepai/index.gob), presenting a significant file system access footprint. - [DATA_EXPOSURE] (LOW): The skill's primary function involves indexing local code projects. While intended, this creates a data ingestion surface where sensitive code content is processed and stored locally in a vector index.
- [INDIRECT_PROMPT_INJECTION] (LOW): Vulnerability surface identified.
- Ingestion points: Local project files read via
grepai watch. - Boundary markers: Absent; the skill does not specify how to handle malicious instructions embedded in source code comments.
- Capability inventory:
grepai watch(file read/index),grepai search(data retrieval to context),grepai trace(code analysis). - Sanitization: Absent; no mention of sanitizing or escaping code content before returning search results to the agent.
Recommendations
- HIGH: Downloads and executes remote code from: https://ollama.com/install.sh, https://raw.githubusercontent.com/yoanbernabeu/grepai/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata