grit
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation in
SKILL.mdandreferences/cli-quickstart.mdinstructs users to install the CLI tool using a command that pipes a remote script fromhttps://docs.grit.io/installdirectly into bash. This executes unverified remote code in the host shell without integrity checks. - [COMMAND_EXECUTION]: The GritQL engine supports inline JavaScript functions via the
jskeyword, enabling dynamic execution of logic during code transformation as described inreferences/functions.md. While sandboxed, this provides a mechanism for running arbitrary logic. - [COMMAND_EXECUTION]: The tool possesses capabilities to create and overwrite local files using the
$new_filesvariable, which can lead to destructive filesystem operations if used maliciously, as noted inreferences/advanced-patterns.md. - [EXTERNAL_DOWNLOADS]: The skill facilitates the download of the
@getgrit/clipackage and allows for the importation of remote patterns from external repositories likegithub.com/getgrit/stdlib, which are then used during the execution of transformation queries.
Recommendations
- HIGH: Downloads and executes remote code from: https://docs.grit.io/install - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata