Skill Trust Decision
semanticfs
Skill contains a declared but dangerous curl|bash remote script execution pattern for installation, representing an unmitigated supply chain risk.
Most direct threat evidence
01
Attacker compromises GitHub repo or modifies install.sh on main branch supply_chain · SKILL.md
02
User follows install instructions, executing malicious code via curl|bash Execution · SKILL.md
03
Attacker gains arbitrary code execution on user's system Impact · install.sh
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Attacker compromises GitHub repo or modifies install.sh on main branch
supply_chain · SKILL.md:40
02
User follows install instructions, executing malicious code via curl|bash
Execution · SKILL.md:40
03
Attacker gains arbitrary code execution on user's system
Impact · install.sh:1
What drove the risk score up
Remote script execution via curl|bash +25
SKILL.md:40 executes install.sh from GitHub raw URL without integrity verification
No version/commit pinning +10
URL uses 'main' branch which can change at any time
Unmitigated supply chain risk +10
Attacker with repo access could modify install.sh to execute arbitrary code
Most important evidence
High Supply Chain
Dangerous curl|bash remote script execution
The install instruction at line 40 uses 'curl -sSfL <URL> | bash', which downloads and executes arbitrary code from a remote GitHub repository without any integrity verification (no hash check, no version pin, no code review step).
SKILL.md:40 Replace with: 1) Direct binary download with SHA256 verification, 2) Package manager install (pip/brew), or 3) Explicit multi-step instructions showing what the install script does before execution.
Medium Supply Chain
Unpinned installation source
The GitHub raw URL points to the 'main' branch without a specific commit, tag, or release. The content can change arbitrarily, breaking reproducibility and enabling supply chain attacks.
SKILL.md:40 Pin to a specific release tag: https://raw.githubusercontent.com/Navneeth08k/semanticFS/v1.0.0/scripts/install.sh
Medium Priv Escalation
Undeclared shell execution permissions
SKILL.md instructs users to run multiple shell commands (semanticfs binary, curl, python3 -c) without declaring 'shell:WRITE' in allowed-tools mapping. The shell resource capability is not declared at all.
SKILL.md:40 If shell execution is required for this skill, declare it explicitly in the allowed-tools mapping.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred READ
semanticfs index build requires read access to indexed directories Network Pass
Declared NONE
→ Inferred READ
Queries localhost:9464 API for search results Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md:40,45,52,55,63 - Runs binary commands and curl without declared shell permission Suspicious artifacts and egress
Critical Dangerous Command
curl -sSfL https://raw.githubusercontent.com/Navneeth08k/semanticFS/main/scripts/install.sh | bash SKILL.md:40
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 131 lines
Markdown 1 files · 131 lines
Files of concern · 1
SKILL.md Dangerous curl|bash remote script execution · Unpinned installation source · Undeclared shell execution permissions · curl -sSfL https://raw.githubusercontent.com/Navneeth08k/semanticFS/main/scripts/install.sh | bash
Security positives
Skill behavior is well-documented and transparent about what it does
The tool is read-only (semantic search only, no file modification)
Localhost-only network usage reduces exfiltration risk
GitHub repository provides some accountability (unlike arbitrary URLs)