Skills
skills/sailscastshq/git-vibe/git-vibe-flow/Gen Agent Trust Hub

git-vibe-flow

Fail

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides instructions in SKILL.md and README.md to execute a remote shell script directly by piping it to bash: curl -fsSL https://raw.githubusercontent.com/sailscastshq/git-vibe/main/install.sh | bash. This allows for unverified arbitrary code execution from a remote source.
  • [COMMAND_EXECUTION]: The installation process modifies the user's global Git configuration, which intercepts Git operations in all repositories on the host machine.
  • Evidence: git config --global core.hooksPath "${HOOK_DIR}" in install.sh redirects all Git hooks to the tool's custom directory.
  • Evidence: git config --global alias.vibe "!${BIN_DIR}/git-vibe" in install.sh creates a global Git alias that executes the tool's binary.
  • [COMMAND_EXECUTION]: The install.sh script modifies shell initialization files to persistently alter the system PATH environment variable across sessions.
  • Evidence: The ensure_path_in_profile function in install.sh appends export PATH="..." to files such as .zshrc, .bashrc, or .bash_profile.
  • [EXTERNAL_DOWNLOADS]: The installer script dynamically fetches the main executable binary and metadata from a remote GitHub repository at runtime.
  • Evidence: download "bin/git-vibe" "${BIN_DIR}/git-vibe" in install.sh fetches files from raw.githubusercontent.com.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/sailscastshq/git-vibe/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Mar 16, 2026, 01:23 PM