Skill Trust Decision
monid
The skill instructs users to execute a remote script via curl|bash (a critical high-risk pattern) which could be replaced with a malicious version at any time, and it generates/store API keys locally without declaring credential handling behavior.
Most direct threat evidence
Critical RCE
Remote script execution via curl|bash from mutable branch The skill instructs users to run 'curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash' in at least 7 locations (lines 26, 31, 61, 75, 83, 98, 126, 137, 160, 163, 184, 201). The 'main' branch of a GitHub repo is mutable — a repo compromise or man-in-the-middle attack can silently replace the script with arbitrary malicious code that executes with the user's full privileges.
SKILL.md:26 Why this conclusion was reached
2/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 5 attack-chain steps and 5 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
User invokes the skill and is prompted to install via curl|bash
Entry · SKILL.md:26
02
Malicious actor compromises GitHub repo 'FeiyouG/monid-client' or performs MitM to serve a trojaned install.sh from the mutable 'main' branch
delivery · SKILL.md:26
03
install.sh executes with user privileges, installing arbitrary binaries to ~/.local/bin/monid and potentially adding persistence hooks
Execution · SKILL.md:26
04
User runs 'monid auth login' and 'monid keys generate' — the monid binary (supplied by the malicious install) could harvest OAuth tokens, Ed25519 private keys, and store them for exfiltration
Credential Access · SKILL.md:47
05
API keys, OAuth tokens, and scraped data are exfiltrated to the attacker-controlled backend (monid-cli infrastructure)
Impact · SKILL.md:47
What drove the risk score up
curl|bash remote script execution from mutable branch +40
SKILL.md:26,31,multiple — downloads and executes script from github.com/FeiyouG/monid-client/main/install.sh. The 'main' branch is mutable; an attacker who compromises the repo can serve malicious code to all future users.
No allowed-tools / _meta.json declared +10
The skill declares no allowed tools. Capability model (filesystem, network, shell, etc.) is not declared, making it impossible to audit resource access.
Undeclared credential generation and local storage +12
SKILL.md instructs users to generate Ed25519 API keys via 'monid keys generate' and stores them at ~/.monid/keys/. This sensitive_access and credential_theft behavior is not declared anywhere.
Most important evidence
Critical RCE
Remote script execution via curl|bash from mutable branch
The skill instructs users to run 'curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash' in at least 7 locations (lines 26, 31, 61, 75, 83, 98, 126, 137, 160, 163, 184, 201). The 'main' branch of a GitHub repo is mutable — a repo compromise or man-in-the-middle attack can silently replace the script with arbitrary malicious code that executes with the user's full privileges.
SKILL.md:26 Replace with pinned binary downloads from a tagged release, or provide SHA256 checksums. Never pipe remote content directly into bash.
Critical Priv Escalation
No allowed-tools declaration in _meta.json
The skill has no _meta.json file and does not declare any allowed tools through the capability model. The capability model (filesystem, network, shell, environment, skill_invoke, clipboard, browser, database × NONE/READ/WRITE/ADMIN) is entirely undeclared, making it impossible to audit what resources this skill actually accesses when invoked.
SKILL.md:1 Add a _meta.json with explicit allowed-tools declarations. Map Bash→shell:WRITE, Read→filesystem:READ, Write→filesystem:WRITE, WebFetch→network:READ as appropriate.
High Credential Theft
Undeclared credential generation and local key storage
The skill instructs users to generate API keys via 'monid keys generate --label main' and stores encrypted Ed25519 key pairs locally at ~/.monid/keys/. While these are local keys, the behavior is not declared in any security documentation, and the key generation mechanism runs inside a third-party CLI whose code is never reviewed.
SKILL.md:47 Declare credential generation as a capability. Consider using environment variables or secrets management instead of local file storage for API keys.
High Doc Mismatch
Skill name 'monid' has no verifiable public presence
The skill claims to be a 'agentic payment platform CLI' but the brand 'Monid' / 'monid' has no verifiable public footprint outside this skill. The GitHub repo FeiyouG/monid-client is a single-person repo with no stars and no clear commercial entity behind it. A legitimate commercial scraping service would have verifiable documentation, company registration, and stable distribution channels.
SKILL.md:1 Verify the vendor identity independently. Request documentation of the corporate entity, privacy policy, and data handling practices before using this skill.
High Supply Chain
Installation from mutable 'main' branch with no integrity check
The install.sh script is fetched from the 'main' branch with no GPG signature, no pinned commit hash, and no SHA256 verification. Even if the repo is legitimate today, it can be updated with malicious code at any time. The install script also runs with user-level privileges and could install persistence mechanisms.
SKILL.md:26 Download binaries from a specific tagged release (e.g., /releases/download/v1.0.0/monid-linux-x64). Provide SHA256 checksums in the documentation. Add version pinning.
Medium Sensitive Access
OAuth authentication stores credentials to ~/.monid/
The OAuth login flow saves workspace information to ~/.monid/config.yaml. This file may contain OAuth tokens or session data. Accessing or storing credentials in the user's home directory is sensitive behavior that should be declared.
SKILL.md:38 Declare that the skill accesses the ~/.monid/ directory. Use a permission-gated secrets store instead of plaintext config files in the home directory.
Medium Obfuscation
Heavy bundling of documentation to reduce transparency
The references/capabilities.md file (1009 lines) is a reference table that could have been inline in SKILL.md. Separating it makes it harder to audit the full scope of the skill in one pass. This pattern can be used to hide additional instructions from quick reviewers.
references/capabilities.md:1 Keep all skill documentation in a single SKILL.md file. Any additional reference data should be clearly linked and audited together.
Declared capability vs actual capability
Shell Pass
Declared NONE
→ Inferred WRITE
SKILL.md:26 — curl -fsSL https://... | bash Network Pass
Declared NONE
→ Inferred READ
SKILL.md:26,31 — raw script download from github.com Filesystem Pass
Declared NONE
→ Inferred WRITE
SKILL.md:38 — stores config to ~/.monid/config.yaml; SKILL.md:47 — stores keys to ~/.monid/keys/ Skill Invoke Pass
Declared NONE
→ Inferred NONE
No _meta.json; invocation model not declared Suspicious artifacts and egress
Critical Dangerous Command
curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash SKILL.md:26
Medium External URL
https://amazon.com/dp/B0123456 SKILL.md:471
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| FeiyouG/monid-client | main (mutable) | github raw script | No | CRITICAL: Installs via curl|bash from mutable branch with no integrity verification. The binary is a closed-source third-party tool whose code cannot be audited. |
File composition
2 files · 1114 lines
Markdown 2 files · 1114 lines
Files of concern · 2
SKILL.md Remote script execution via curl|bash from mutable branch · No allowed-tools declaration in _meta.json · Undeclared credential generation and local key storage · Skill name 'monid' has no verifiable public presence · Installation from mutable 'main' branch with no integrity check · OAuth authentication stores credentials to ~/.monid/ · curl -fsSL https://raw.githubusercontent.com/FeiyouG/monid-client/main/install.sh | bash · https://amazon.com/dp/B0123456
references/capabilities.md Heavy bundling of documentation to reduce transparency
Security positives
The skill describes what platforms it can scrape (X, Instagram, TikTok, LinkedIn, YouTube, Facebook, Amazon, Google) — scope is relatively clear
The skill includes pricing estimates for each capability, showing cost transparency
The skill includes a 'What Monid CANNOT Do' section with constraints
No direct code execution, obfuscation, or exfiltration loops found in the documentation itself
Uses OAuth for authentication rather than password-based login