gitlawb
Fail
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses 'curl -sSf https://gitlawb.com/install.sh | sh' for installation in both documentation and the scripts/setup.sh script, executing remote code from a non-pre-approved domain without integrity verification.
- [CREDENTIALS_UNSAFE]: Instructions for the Base L2 name registry require passing the 'ETH_PRIVATE_KEY' via the '--private-key' command-line flag, which exposes the secret in shell history files and system process logs.
- [EXTERNAL_DOWNLOADS]: The skill fetches CLI binaries from gitlawb.com and installs Node.js packages '@gitlawb/gl' and '@gitlawb/opencode' from the npm registry.
- [PROMPT_INJECTION]: The skill ingests untrusted data such as pull request bodies, issue descriptions, and agent task payloads from a decentralized peer-to-peer network (libp2p), which could contain malicious instructions designed to exploit the agent's broad tool capabilities.
- [COMMAND_EXECUTION]: The skill relies on executing local shell commands and git operations via the 'gl' and 'git' binaries to manage repositories, identities, and blockchain interactions.
Recommendations
- HIGH: Downloads and executes remote code from: https://gitlawb.com/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata