damage-control

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). bun.sh is the official installer for the Bun runtime (low risk) but the skill also instructs piping remote shell/PowerShell scripts from a lesser-known domain (astral.sh) into sh/iex — executing remote .sh/.ps1 is a high-risk pattern because it can deliver arbitrary code, so overall this is moderately high risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The runtime_requirements include commands that download-and-execute remote install scripts—https://astral.sh/uv/install.sh, https://astral.sh/uv/install.ps1, https://bun.sh/install, and bun.sh/install.ps1 (invoked via curl|sh or irm|iex)—which fetch and run remote code as required dependencies.