skill-forge

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The gemini prompt explicitly instructs at runtime to run a remote installer via curl piped to bash (curl -fsSL https://raw.githubusercontent.com/Alcyone-Labs/agent-skills/main/install.sh | bash …), which fetches and executes remote code and is presented as the required update/install pathway for --update-skill, creating a clear high-risk dependency on that URL.