Summary
opencode-skills-antigravity v1.0.5 was classified as CRITICAL RISK with a risk score of 14113. Sigil detected 1356 findings across 4071 files, covering phases including code patterns, network exfiltration, obfuscation, install hooks, credential access, provenance. Review the findings below before installing this package.
v1.0.5
20 March 2026, 18:12 UTC
by Sigil Bot
Risk Score
14113
Findings
1356
Files Scanned
4071
Provenance
Findings by Phase
Phase Ordering
Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/algorithmic-art/templates/generator_template.js:53
function setup() {
createCanvas(800, 800);Why was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/apify-actor-development/SKILL.md:25
## Prerequisites & Setup (MANDATORY)
Why was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/apify-actor-development/SKILL.md:39
> **Security note:** Do NOT install the CLI by piping remote scripts to a shell
> (e.g. `curl … | bash` or `irm … | iex`). Always use a package manager.
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/audit-skills/SKILL.md:82
- **Persistence**: `reg add` (Run keys), `schtasks`, `crontab`, `launchctl` (macOS), `systemd` units.
- **Tubes**: `curl ... | bash`, `iwr ... | iex`.
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/bun-development/SKILL.md:33
# macOS / Linux
curl -fsSL https://bun.sh/install | bash
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/bun-development/SKILL.md:591
# 1. Install Bun
curl -fsSL https://bun.sh/install | bash
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/claude-code-expert/SKILL.md:353
"Bash(sudo *)",
"Bash(curl * | bash)"
]Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/cloud-penetration-testing/SKILL.md:32
# GCP CLI
curl https://sdk.cloud.google.com | bash
gcloud initWhy was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/docs/contributors/quality-bar.md:53
- command pipelines like `curl ... | bash`, `wget ... | sh`, `irm ... | iex`,
- inline token/secret-style command examples,Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/docs/contributors/skill-template.md:60
- If this skill includes shell commands, command-like examples, network fetches, token/capability strings, or direct mutation guidance, add explicit preconditions and caveats.
- For deliberate risky examples (for example `curl ... | bash`, `wget ... | sh`, credential examples), include a reviewer-visible reason and add an allowlist comment:
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/docs/maintainers/security-findings-triage-2026-03-15.csv:5
https://chatgpt.com/codex/security/findings/e01a4ba9a89c8191aff2edc3fa7e28ac,sickn33/antigravity-awesome-skills,https://github.com/sickn33/antigravity-awesome-skills,Symlink-following copy leaks host files in setup_web,"The updated copy routine in scripts/setup_web.js now uses fs.statSync, which follows symlinks, and copies targets as regular files or directories. This lets a malicious skill entry be a symlink to any file on the build host (e.g., ~/.ssh/id_rsa or CI secrets). When npm run app:seWhy was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/docs/users/faq.md:237
- Replace risky examples like `curl ... | bash`, `wget ... | sh`, `irm ... | iex` with safer alternatives.
- Remove or redact token-like command-line examples.Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/evolution/SKILL.md:34
# Install makepad-skills with hooks enabled
curl -fsSL https://raw.githubusercontent.com/ZhangHanDong/makepad-skills/main/install.sh | bash -s -- --with-hooks
```Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/linkerd-patterns/SKILL.md:75
# Install CLI
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/linux-privilege-escalation/SKILL.md:147
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-01-24-17/swebench-predictions.json:729
"instance_id": "mwaskom__seaborn-3190",
"model_patch": "I found the exact patch. The fix is very simple - just wrap `axis.convert_units((vmin, vmax))` with `map(float, ...)` to ensure the values are converted to floats before the subtraction.\n\nNow I need to format this as a proper unified diff patch. The issue is about the bug before the fix was applied, so I need to generate the patch that transforms the old code to the new code.\n\nBased on the GitHub API response, the patch changes Why was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-01-24-17/swebench-predictions.json:904
"instance_id": "pytest-dev__pytest-7490",
"model_patch": "Based on my knowledge of pytest and the issue description, I can analyze this problem:\n\nThe issue is that in pytest 6.0.0rc0, dynamically adding an `xfail` marker using `request.node.add_marker(mark)` no longer ignores the test failure as it did in pytest 5.x.\n\nThe hint mentions commit c9737ae914891027da5f0bd39494dd51a3b3f19f caused this regression. This commit was related to evaluating xfail markers at call time for the stricWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-01-24-17/swebench-results.json:737
"instance_id": "mwaskom__seaborn-3190",
"model_patch": "I found the exact patch. The fix is very simple - just wrap `axis.convert_units((vmin, vmax))` with `map(float, ...)` to ensure the values are converted to floats before the subtraction.\n\nNow I need to format this as a proper unified diff patch. The issue is about the bug before the fix was applied, so I need to generate the patch that transforms the old code to the new code.\n\nBased on the GitHub API response, the patch chanWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-01-24-17/swebench-results.json:912
"instance_id": "pytest-dev__pytest-7490",
"model_patch": "Based on my knowledge of pytest and the issue description, I can analyze this problem:\n\nThe issue is that in pytest 6.0.0rc0, dynamically adding an `xfail` marker using `request.node.add_marker(mark)` no longer ignores the test failure as it did in pytest 5.x.\n\nThe hint mentions commit c9737ae914891027da5f0bd39494dd51a3b3f19f caused this regression. This commit was related to evaluating xfail markers at call time for the sWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-10-37-54/swebench-loki-predictions.json:874
"instance_id": "mwaskom__seaborn-3190",
"model_patch": "--- a/seaborn/_core/scales.py\n+++ b/seaborn/_core/scales.py\n@@ -96,6 +96,9 @@ class Nominal(Scale):\n def _setup(\n self, data: Series, prop: Property, axis: Axis | None = None,\n ) -> Scale:\n+ # Convert boolean data to object dtype for consistent categorical handling\n+ if data.dtype == bool:\n+ data = data.astype(object)\n \n new = copy(self)\n if self._tick_params is NonWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-10-37-54/swebench-loki-predictions.json:1282
"instance_id": "sphinx-doc__sphinx-8273",
"model_patch": "Based on the issue and architect's analysis, I need to generate a patch for Sphinx's man page builder. Since the actual Sphinx repository isn't present in the provided directory, I'll generate the patch based on the standard Sphinx codebase structure and the architect's guidance.\n\n```\n--- a/sphinx/builders/manpage.py\n+++ b/sphinx/builders/manpage.py\n@@ -26,7 +26,7 @@ from sphinx.util import logging\n from sphinx.util.console Why was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-10-37-54/swebench-loki-results.json:882
"instance_id": "mwaskom__seaborn-3190",
"model_patch": "--- a/seaborn/_core/scales.py\n+++ b/seaborn/_core/scales.py\n@@ -96,6 +96,9 @@ class Nominal(Scale):\n def _setup(\n self, data: Series, prop: Property, axis: Axis | None = None,\n ) -> Scale:\n+ # Convert boolean data to object dtype for consistent categorical handling\n+ if data.dtype == bool:\n+ data = data.astype(object)\n \n new = copy(self)\n if self._tick_params isWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
package/bundled-skills/loki-mode/benchmarks/results/2026-01-05-10-37-54/swebench-loki-results.json:1290
"instance_id": "sphinx-doc__sphinx-8273",
"model_patch": "Based on the issue and architect's analysis, I need to generate a patch for Sphinx's man page builder. Since the actual Sphinx repository isn't present in the provided directory, I'll generate the patch based on the standard Sphinx codebase structure and the architect's guidance.\n\n```\n--- a/sphinx/builders/manpage.py\n+++ b/sphinx/builders/manpage.py\n@@ -26,7 +26,7 @@ from sphinx.util import logging\n from sphinx.util.consWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/uv-package-manager/resources/implementation-playbook.md:54
# macOS/Linux
curl -LsSf https://astral.sh/uv/install.sh | sh
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/varlock/SKILL.md:88
# Install Varlock CLI
curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew
Why was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
install-makefile-curl
HIGHMakefile/script pipes remote content to shell
package/bundled-skills/varlock/SKILL.md:243
# Install Varlock in container
RUN curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew \
&& ln -s /root/.varlock/bin/varlock /usr/local/bin/varlockWhy was this flagged?
A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.
Badge
Markdown
[](https://sigilsec.ai/scans/3E485EB1-4E24-4D3C-BC84-0826DE4514E6)HTML
<a href="https://sigilsec.ai/scans/3E485EB1-4E24-4D3C-BC84-0826DE4514E6"><img src="https://sigilsec.ai/badge/npm/opencode-skills-antigravity" alt="Sigil Scan"></a>Run This Scan Yourself
Scan your own packages
Run Sigil locally to audit any package before it touches your codebase.
Early Access
Get cloud scanning, threat intel, and CI/CD integration.
Join 150+ developers on the waitlist.
Get threat intelligence and product updates
Security research, new threat signatures, and product updates. No spam.
Other npm scans
Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.