front-dev
Fail
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs users to install the Lightpanda browser using the command
curl -fsSL https://pkg.lightpanda.io/install.sh | bash. This pattern executes remote code directly in the shell without providing any integrity or security verification.\n- [EXTERNAL_DOWNLOADS]: The skill recommends adding a third-party agent skill from a personal GitHub repository (benjitaylor/agentation) usingnpx skills add. This introduces external code from an unverified source into the agent's context.\n- [COMMAND_EXECUTION]: The skill provides instructions to install the Bun runtime usingcurl -fsSL https://bun.sh/install | bash. While Bun is a recognized development tool, this installation method is inherently less secure than using traditional package management systems.\n- [COMMAND_EXECUTION]: The skill frequently uses shell commands for project scaffolding and dependency management (e.g.,bun create astro,bunx shadcn@latest init), which download and run various third-party scripts at runtime.
Recommendations
- HIGH: Downloads and executes remote code from: https://pkg.lightpanda.io/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata