safe-skill-advisor

safe-skill-advisor · v1.7.0 · by

55.1

Trust Score

Trust Tier

danger

Badge

Score Breakdown

Factor	Score	Weight
Static	0.0	15%
Permission	95.0	15%
Poison	100.0	15%
Clickfix	0.0	15%
Credential	100.0	15%
Twostage	5.0	10%
Infrastructure	100.0	5%
Typosquat	100.0	5%
Age	10.6	3%
Popularity	0.0	2%

Scan Results

STATIC — Score: 0

[CRITICAL] Remote code download and execution via curl pipe (line 89)
- [ ] Does SKILL.md require executing `curl | bash` or downloading external files?

[CRITICAL] Remote code download and execution via curl pipe (line 136)
- ❌ Requires executing `curl http://... | bash`

[CRITICAL] Remote code download and execution via curl pipe (line 305)
2. ❌ Execute unknown scripts (especially `curl | bash`)

[CRITICAL] Remote script download piped to shell execution (line 89)
- [ ] Does SKILL.md require executing `curl | bash` or downloading external files?

[CRITICAL] Remote script download piped to shell execution (line 136)
- ❌ Requires executing `curl http://... | bash`

[CRITICAL] Remote script download piped to shell execution (line 305)
2. ❌ Execute unknown scripts (especially `curl | bash`)

PERMISSION — Score: 95

[LOW] Skill appears to use network but declares no permissions

POISON — Score: 100

No findings.

CLICKFIX — Score: 0

[CRITICAL] Instructs user to pipe downloaded content to shell (line 305)
2. ❌ Execute unknown scripts (especially `curl | bash`)

[CRITICAL] Instructs user to disable security features (line 90)
- [ ] Does installation instructions require downloading **password-protected ZIP**? (Hackers commonly use this to bypas

[CRITICAL] Instructs user to disable security features (line 242)
| Password-Protected ZIP | 45% | Bypass antivirus detection |

INFRASTRUCTURE — Score: 100

No findings.

TWOSTAGE — Score: 5

[CRITICAL] Download piped directly to interpreter (two-stage loader) (line 136)
- ❌ Requires executing `curl http://... | bash`

CREDENTIAL — Score: 100

No findings.

TYPOSQUAT — Score: 100

No findings.

← Back to list