a0-setup-cli

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These include raw GitHub-hosted install.sh/install.ps1 scripts from an unverified/unknown account that the skill explicitly instructs to pipe into sh/PowerShell (a high-risk "download-and-execute" pattern); the other URLs (localhost and example.trycloudflare.com) are benign endpoints, but the direct execution of raw scripts from an untrusted repo makes the overall source suspicious.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly directs runtime execution of remote installer scripts (curl -LsSf https://raw.githubusercontent.com/agent0ai/a0-connector/main/install.sh | sh and irm https://raw.githubusercontent.com/agent0ai/a0-connector/main/install.ps1 | iex) and suggests installing from git+https://github.com/agent0ai/a0-connector which fetches repository code that will be executed/installed, so these URLs directly deliver and run remote code used by the skill at runtime.