ollama-stack

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] No direct malicious code is present in the provided skill fragment, but it contains high-risk supply-chain patterns: an unpinned curl|sh installer and unpinned remote model downloads. These patterns make the skill suspicious from a supply-chain perspective and warrant caution. Recommend verifying the installer and model checksums, using pinned releases or package-manager installs, and explicit guidance on not exposing services publicly. LLM verification: The documentation contains a high-risk supply-chain instruction: a curl | sh to a single remote installer URL with no integrity verification. This contradicts the "offline/privacy-first" intent and creates a meaningful risk that arbitrary code could be executed on users' machines, or that subsequent downloads could exfiltrate data or install unwanted services. No explicit malicious code is present in the document itself, but the install pattern elevates the package's security risk. Recommend rem