Skills
skills/dnyoussef/ai-chrome-extension/quick-quality-check/Gen Agent Trust Hub

quick-quality-check

Warn

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill interpolates the user-provided '$path' variable directly into shell commands within a 'parallel' execution block. Because the input is only wrapped in single quotes, a path containing a single quote (e.g., "'; rm -rf /; '") could break out of the intended command and execute arbitrary commands on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill uses 'npx' to fetch and execute various modules of the 'claude-flow' package. Using 'npx' without specific version pinning for a non-standard package allows the execution of untrusted code from the npm registry, posing a supply chain risk.
  • [REMOTE_CODE_EXECUTION]: The combination of dynamic shell command construction and the use of 'npx' to execute remote packages from the npm registry creates a pathway for executing unauthorized code on the execution environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 2, 2026, 07:18 AM
Security Audit — agent-trust-hub — quick-quality-check