curl-wget
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous examples for executing
curlandwgetcommands. These tools enable the agent to perform complex network operations and interact with the local filesystem. - [CREDENTIALS_UNSAFE]: Documentation includes examples of passing sensitive credentials, such as passwords and API keys, directly as command-line arguments (e.g.,
curl -u username:password). This practice is a security risk as it can expose secrets in shell history, process monitoring tools, and system logs. - [DATA_EXFILTRATION]: The skill references the usage of sensitive configuration files, specifically
~/.netrc,~/.curlrc, and~/.wgetrc, which are used to store credentials and default connection settings. - [EXTERNAL_DOWNLOADS]: The reference material documents how to download files from remote servers, including a pattern (
curl ... | tar) that pipes downloaded data directly into an extraction utility. This pattern represents a risk if the source URL is not verified.
Audit Metadata