code-review

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). One URL is a docs page but the other is a direct install.sh served from an unverified domain (cli.coderabbit.ai) and is explicitly recommended to be piped to sh—an inherently risky distribution pattern from an untrusted source that could deliver malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs installing the CodeRabbit CLI with "curl -fsSL https://cli.coderabbit.ai/install.sh | sh", which fetches and executes remote code at runtime and is required for the skill's review workflow, so it is a high-risk external dependency.