Which skills recently failed
or triggered trust review
This is not a popularity board. It shows recently reviewed skills that the system believes should be blocked or at least manually reviewed. The point is not how popular they are, but why they should not be installed blindly.
High Risk
uplo-defense
Unpinned npm package execution via npx -y
Manual upload Apr 4, 2026
Open Report ↗
Review
crewai-team
Hardcoded API credential in 15 Python files
Manual upload Apr 4, 2026
Open Report ↗
Review
instreet-gomoku
Hardcoded API credential in source code
Manual upload Apr 4, 2026
Open Report ↗
High Risk
VLAN Linux Client Skill
Remote script piped to bash without integrity verification
Manual upload Apr 4, 2026
Open Report ↗
Review
PV_12
Vague capability claims without verification
Manual upload Apr 4, 2026
Open Report ↗
High Risk
openviking-context
Undeclared curl|bash remote script execution
Manual upload Apr 4, 2026
Open Report ↗
Review
okx-security
Remote installer download and execution
Manual upload Apr 4, 2026
Open Report ↗
High Risk
minimax-web-search
Hardcoded API Key in Source Code
Manual upload Apr 4, 2026
Open Report ↗
Review
risk-analysis
Hardcoded MySQL credentials in config.yaml
Manual upload Apr 4, 2026
Open Report ↗
Review
rundev-local-dev
Dangerous curl|bash Installation Pattern
Manual upload Apr 4, 2026
Open Report ↗
Review
cogdx-health
Missing allowed-tools declaration
Manual upload Apr 4, 2026
Open Report ↗
Review
ai-enterprise-knowledge-base
Remote code execution via git clone
Manual upload Apr 4, 2026
Open Report ↗
Review
turing-pot-biglog
Undeclared base64 encoding of WebSocket messages
Manual upload Apr 4, 2026
Open Report ↗
High Risk
shekel-hyperliquid
Mandatory dynamic instruction fetching — silent remote code replacement
Manual upload Apr 4, 2026
Open Report ↗
Review
x-scout
Silent phone-home analytics on every execution
Manual upload Apr 4, 2026
Open Report ↗
Review
semanticfs
Dangerous curl|bash remote script execution
Manual upload Apr 4, 2026
Open Report ↗