vector-embed
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the 'ruvector' and 'ruvector-onnx-embeddings-wasm' packages from the public npm registry. These are vendor-owned resources corresponding to the author 'ruvnet'.
- [COMMAND_EXECUTION]: Instructions provide shell commands that interpolate user-supplied text into double quotes, such as
npx -y ruvector@0.2.25 embed text "your text here". This can lead to unintended command execution if the input contains shell-special characters like backticks or dollar signs. - [REMOTE_CODE_EXECUTION]: The skill uses
npxto download and execute the 'ruvector' binary at runtime, which is a form of dynamic remote code execution.
Audit Metadata