fuelcheck
Fail
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an installation command 'curl -fsSL https://github.com/emanuelarcos/fuelcheck/releases/latest/download/install.sh | sh' that downloads and immediately executes a shell script from a third-party repository. This grants the repository owner the ability to execute arbitrary commands on the system without user review.
- [EXTERNAL_DOWNLOADS]: The skill relies on software from an unverified GitHub repository ('emanuelarcos/fuelcheck') that is not associated with the skill author or a trusted vendor. It also suggests using 'go install' to fetch code from the same untrusted source.
- [COMMAND_EXECUTION]: The skill's primary function involves running terminal commands including 'command -v fuelcheck' for detection and 'fuelcheck --json' for data retrieval, enabling the execution of external binaries.
- [PROMPT_INJECTION]: The skill parses and interprets structured JSON output from the 'fuelcheck' tool. As this output is derived from an unverified external source and processed without boundary markers or sanitization, it creates a surface for indirect prompt injection if the tool is compromised.
Recommendations
- HIGH: Downloads and executes remote code from: https://github.com/emanuelarcos/fuelcheck/releases/latest/download/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata