Skills
skills/webup/skills-cc/webup-statusline/Gen Agent Trust Hub

webup-statusline

Warn

Audited by Gen Agent Trust Hub on May 6, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/generate.mjs creates an executable bash file at ~/.claude/scripts/statusline.sh and modifies the ~/.claude/settings.json file to register this script. This alters the agent's runtime behavior by executing the generated script for status updates.
  • [COMMAND_EXECUTION]: There is a potential command injection vulnerability in scripts/generate.mjs. The --effort-icon parameter is interpolated directly into a shell script template without sanitization. If an attacker can influence this argument, it could allow for arbitrary command execution when the generated status line script is rendered.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx -y bun to execute its generator, which results in the download and execution of the Bun runtime from the official npm registry if it is not already installed on the system.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 6, 2026, 07:43 AM