setup

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly shows and instructs embedding API keys verbatim in CLI commands and a --api-key flag (e.g., casedev auth set-key --api-key sk_case_..., --api-key <key>), which can require the agent to output secret values directly even though an env-var method is recommended.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). They include a direct raw GitHub shell script URL (install.sh) that would commonly be piped to sh plus a project-specific domain (case.dev); while likely intended for a legitimate CLI, direct execution of a raw .sh from a non-widely-known repo and a small private domain are common malware distribution vectors unless you can verify the repository owner and domain reputation.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The bundled installer script (scripts/setup.sh) runs a curl piped to sh that fetches and executes remote code from https://raw.githubusercontent.com/CaseMark/homebrew-casedev/main/install.sh at runtime, which directly executes remote code and is used as a required installation fallback.