asana
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The skill explicitly instructs users to pipe a remote script directly into their shell:
curl -sSL https://canifi.com/skills/asana/install.sh | bash. This pattern is highly dangerous as the remote server can deliver and execute any arbitrary command on the user's machine. - EXTERNAL_DOWNLOADS (HIGH): The skill depends on scripts hosted at
canifi.com, which is not a verified or trusted source (e.g., official GitHub organizations or well-known cloud providers). This presents a significant supply chain risk. - COMMAND_EXECUTION (HIGH): The setup process relies on direct, unverified shell execution of scripts, bypassing standard, auditable installation methods.
- CREDENTIALS_UNSAFE (MEDIUM): The documentation prompts users to store sensitive credentials, including
SERVICE_PASSWORD, in local environment variables. While stored locally, this practice increases the attack surface for credential theft if the environment is compromised by other processes.
Recommendations
- HIGH: Downloads and executes remote code from: https://canifi.com/skills/asana/install.sh, https://canifi.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata