arista-cvp

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). This URL points to an unofficial GitHub repository from an unknown account that instructs cloning and running code (including runtime dependency resolution), disables TLS verification per its guardrails, and handles sensitive CVP tokens — elevating risk of credential theft or supply-chain malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's install instructions explicitly require fetching and running the repository (git clone https://github.com/noredistribution/mcp-cvp-fun followed by running its entrypoint), so that external GitHub content is fetched at runtime and executed as a required dependency, which constitutes executing remote code.