中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 55/100
Last scan:22 hr ago Rescan
55 /100
rundev-local-dev
Local dev environment manager. Process management, automatic HTTPS domains, SSL certificates, reverse proxy, and AI crash diagnosis
The skill describes a legitimate local dev tool but relies on dangerous curl|bash installation and requires opaque system-level modifications including permanent NOPASSWD sudo access.
Skill Namerundev-local-dev
Duration55.3s
Enginepi
Use with caution
Do not use curl|bash installation. If needed, manually review and download the install script first, verify its contents, and consider building from source. The permanent sudoers rule poses significant risk.

Attack Chain 5 steps

Entry User executes curl|bash installation command
SKILL.md:83
Escalation Remote server serves potentially malicious install.sh
https://getrun.dev/install.sh:1
Escalation Install script executes with sudo privileges, creates NOPASSWD rule
install.sh (hidden):unknown
Escalation Binary installed to /usr/local/bin, iptables rules set up, hosts modified
install.sh (hidden):unknown
Impact Malicious binary with permanent sudo access runs with elevated privileges
/usr/local/bin/rundev:unknown

Findings 5 items

Severity Finding Location
High
Dangerous curl|bash Installation Pattern Supply Chain
Line 83 executes remote script directly from getrun.dev without verification. This is a well-known attack vector where the remote server could serve different content per request, enabling supply chain compromise.
curl -fsSL https://getrun.dev/install.sh | bash
→ Download the install script first with 'curl -fsSL https://getrun.dev/install.sh -o install.sh', review contents, then execute locally.
 SKILL.md:83
High
Undeclared Permanent Sudoers Rule Priv Escalation
The installer creates a NOPASSWD sudoers rule for hosts management. This grants permanent elevated privileges without declaring it as a capability. This rule persists across reboots and could be abused.
Installs a hosts helper script with a NOPASSWD sudoers rule
→ Review the sudoers rules installed. Consider using alternative privilege separation or requesting user confirmation for sudo access.
 SKILL.md:86
High
Hidden Installation Script Contents Doc Mismatch
The SKILL.md describes what the installer does but the actual install.sh script contents are not visible. Users cannot verify what commands will actually execute, including potential data collection or additional downloads.
What the installer does (fully transparent, reversible...)
→ Provide the full install.sh script content in the skill documentation for transparency and verification.
 SKILL.md:84
Medium
Unverified Prebuilt Binary Download Supply Chain
The installer downloads a prebuilt binary from getrun.dev with no checksum verification. An attacker compromising the domain could serve a malicious binary.
Downloads prebuilt binary to /usr/local/bin/rundev
→ Use the source-based installation: 'git clone && make install' to compile from verified source code.
 SKILL.md:85
Medium
System-Level Persistence Mechanisms Persistence
Installer sets up persistent configurations: iptables NAT rules, pfctl anchors, hosts file modifications, and state persistence in state.json. These create multiple persistence vectors.
Sets up port forwarding: port 80 → 1111, port 443 → 1112 (localhost only)
→ Document all persistence mechanisms clearly and provide easy uninstall to remove all traces.
 SKILL.md:86
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md:80-85 - /usr/local/bin, /etc/hosts, ~/.config/rundev/
Shell WRITE WRITE ✓ Aligned SKILL.md:83 - curl|bash execution
Network READ WRITE ✗ Violation SKILL.md:83 - Downloads binary from getrun.dev
Environment NONE NONE No environment access declared or observed
Skill Invoke NONE NONE No cross-skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
1 Critical 6 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -fsSL https://getrun.dev/install.sh | bash
SKILL.md:83
🔗
Medium External URL 外部 URL
https://getrun.dev
SKILL.md:22
🔗
Medium External URL 外部 URL
https://getrun.dev/install.sh
SKILL.md:83
🔗
Medium External URL 外部 URL
https://api.myapp.local
SKILL.md:193
🔗
Medium External URL 外部 URL
https://docs.anthropic.com/en/docs/claude-code
SKILL.md:257
📧
Info Email 邮箱地址
[email protected]
SKILL.md:21

File Tree

1 files · 12.4 KB · 323 lines
Markdown 1f · 323L
└─ 📝 SKILL.md Markdown 323L · 12.4 KB

Security Positives

✓ Full documentation of what the installer does (though script content is hidden)
✓ Includes automatic rollback on failure
✓ Network rules are localhost-only (127.0.0.1)
✓ Explicit consent screen before system changes
✓ Provides uninstall command to reverse all changes
✓ Source code available on GitHub for verification (though not used by default install)