icp-appgen

The workflow is functionally benign for building an ICP application but contains a high-risk supply-chain pattern: executing a remote installer script fetched at runtime without integrity or authenticity verification (curl | sh). This permits arbitrary code execution on the CI runner if the remote script or transport is compromised and could lead to secret exfiltration or environment compromise. Recommend replacing the piped installer with a pinned, signed release or a vetted action, verifying checksums/signatures, restricting secret access for the job that runs installers, and adding caching or hermetic tool provisioning to eliminate runtime fetches.