ai-rag-pipeline

The skill targets legitimate RAG pipeline construction and multi-tool orchestration, which is coherent with its stated purpose. However, there are several high-risk patterns: (1) a curl|sh installation flow that downloads and executes a remote binary, (2) reliance on unverifiable binaries and external distribution channels, and (3) potential for transitive installation of additional tools via npx or similar mechanisms. These patterns raise supply-chain and runtime-execution concerns that are not fully mitigated by the provided checksum references. Given the combination of intended functionality and these risk signals, the overall assessment leans toward SUSPICIOUS (high-risk, nontrivial weaponization surface) rather than Benign, pending stronger safeguards (pinned, verifiable builds; in-repo checksums; explicit, audited dependencies; explicit data-handling policies).