Skills
skills/stvlynn/qclaw-skills/qclaw-env/Gen Agent Trust Hub

qclaw-env

Fail

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill employs patterns that download and execute code directly from the internet to automate tool installation.
  • Fetches and pipes scripts to shell environments for the uv package manager, Homebrew, and Scoop.
  • Uses Windows PowerShell's Invoke-Expression (iex) to execute downloaded installation scripts for Chocolatey and Scoop.
  • [COMMAND_EXECUTION]: System-level commands and configuration modifications are performed to set up the environment.
  • Frequently invokes sudo on macOS for administrative tasks such as package installation via softwareupdate and the system installer.
  • Modifies shell configuration files (~/.zshrc, ~/.zprofile, ~/.zprofile) to append environment variables and update system paths.
  • Executes msiexec with passive flags on Windows to perform background software installations.
  • [EXTERNAL_DOWNLOADS]: The skill retrieves a wide range of binaries and installers from external sources.
  • Downloads official runtime packages for Node.js, Python, and Go from their respective official domains.
  • References community-maintained mirrors (e.g., USTC and Gitee) for installation scripts when primary sources are unreachable.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 21, 2026, 04:45 PM