Skills
skills/1mangesh1/dev-skills-collection/curl-http/Gen Agent Trust Hub

curl-http

Fail

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The documentation includes examples of piping network output directly to a Python interpreter (curl -s https://api.example.com | python -m json.tool), which is a dangerous pattern if the remote content is malicious. Additionally, the skill suggests using the -k (insecure) flag and includes scripts that bypass certificate verification using --cacert /dev/null, increasing the risk of executing malicious data via Man-in-the-Middle attacks.
  • [COMMAND_EXECUTION]: The provided bash scripts (http-debug.sh, api-tester.sh) execute curl commands based on user-provided URLs and methods, allowing for arbitrary network requests that could be used for Server-Side Request Forgery (SSRF) or scanning internal resources.
  • [CREDENTIALS_UNSAFE]: The skill guides encourage passing sensitive credentials, such as basic auth passwords and bearer tokens, directly as command-line arguments, which exposes them in shell history, logs, and process monitoring tools.
  • [DATA_EXFILTRATION]: The http-debug.sh script logs the entire constructed curl command to standard output, which could lead to the accidental exposure of sensitive authentication headers in terminal logs or captured sessions.
Recommendations
  • HIGH: Downloads and executes remote code from: https://api.example.com - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 14, 2026, 01:22 AM