Statichub

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is coherent for deploying static files, but its install step tells the agent to run an unverified remote script directly in the shell.

Before installing, review or replace the StaticHub CLI installation step. Prefer a package-manager or signed release install, pin the version, verify the downloaded script or binary, and only deploy an explicit directory or HTML file you intend to publish.

SkillSpector (1)

By NVIDIA

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to install missing software by piping a remotely fetched script directly into `sh`, which executes unreviewed code from the network with no integrity verification, pinning, or user confirmation. In an agent context this is more dangerous because the installation step is part of the prescribed workflow, making automatic execution of attacker-controlled or tampered remote content more likely.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal