acontext-installer
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions provide commands to download and execute a script directly from a remote URL (
https://install.acontext.io) by piping it directly to a shell (sh). This method of installation is insecure as it allows for arbitrary code execution from a source that is not verified. - Evidence:
curl -fsSL https://install.acontext.io | shinSKILL.md - [COMMAND_EXECUTION]: The skill performs numerous shell operations, including system-wide installation and project management tasks that involve interpolating user-defined names into command arguments.
- Evidence:
acontext dash projects create --name <project-name>and the--systemflag inSKILL.md - [EXTERNAL_DOWNLOADS]: The skill fetches and installs additional software components and plugins from external registries and marketplaces during the setup process.
- Evidence:
openclaw plugins install @acontext/openclawand/plugin install acontextinSKILL.md - [DATA_EXFILTRATION]: The skill is designed to read local directories and upload their contents to a remote API. It also manages sensitive authentication files and environment variables.
- Evidence:
acontext skill upload <directory>and references toauth.jsonandcredentials.jsoninSKILL.md
Recommendations
- HIGH: Downloads and executes remote code from: https://install.acontext.io - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata