Skills
skills/anentrypoint/gm/gm-skill/Gen Agent Trust Hub

gm-skill

Warn

Audited by Gen Agent Trust Hub on May 22, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download the gm-plugkit package from the NPM registry if a status file is missing or stale. The command npx -y gm-plugkit@latest spool or bun x gm-plugkit@latest spool is used to fetch the package at runtime.
  • [REMOTE_CODE_EXECUTION]: Using npx or bun x to run a package with the @latest version tag executes code from a remote source without version pinning. This poses a supply-chain risk as the executed code can change at any time without user oversight.
  • [COMMAND_EXECUTION]: The skill runs its core logic as a background process using & and redirects all output (stdout and stderr) to /dev/null. This hides the execution details and any potential errors or malicious behaviors from the user and the agent's logs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 22, 2026, 11:16 AM
Security Audit — agent-trust-hub — gm-skill