Skills
skills/malinskibeniamin/skills/setup-env-validation/Gen Agent Trust Hub

setup-env-validation

Warn

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The file scripts/_hook-lib.sh contains a relative path reference ../../shared/hook-lib.sh. When this file is sourced by the main hook script scripts/env-validation-check.sh, it attempts to execute code from a location outside the skill's own directory. This is an unsafe practice as it relies on the state of the parent file system and may lead to the execution of unintended or malicious files.
  • [COMMAND_EXECUTION]: The skill instructs the user to run a command named codex-compat which is not a standard system utility and is not provided within the skill's own files. This represents an unverified dependency that could execute arbitrary code if a malicious version is present in the user's path.
  • [COMMAND_EXECUTION]: The skill sets up PostToolUse hooks that execute shell scripts automatically following file edits or writes. While this is the intended purpose of the skill, it creates a mechanism for persistent automated execution that could be exploited if the scripts are tampered with.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 09:06 AM
Security Audit — agent-trust-hub — setup-env-validation