commit-message

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The proxy URL appears to be a benign corporate proxy, but the raw.githubusercontent.com link is a direct raw shell script (curl | bash style) — executing remote .sh from a repository (even a known user) is inherently risky and should be inspected before running.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation step runs a remote installer via bash using the URL https://raw.githubusercontent.com/appleboy/CodeGPT/main/install.sh (curl ... | bash), which fetches and executes remote code and is presented as a required setup step for the skill.