pytest-coverage-measurement

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] The document is benign, useful guidance for coverage measurement and enforcement. The main security concern is the unpinned pipe-to-shell installer (curl | sh) used to install 'uv' in the CI example — this is a high-risk supply-chain pattern that can allow arbitrary remote code execution in CI and should be removed or replaced with pinned, integrity-verified installation methods. There is no direct evidence of malware or obfuscated/backdoor code in the provided examples, but the CI pattern elevates the package's supply-chain risk and should be remediated before adoption in sensitive CI environments. LLM verification: This skill is documentation and helper code for pytest coverage measurement and is consistent with its stated purpose. No direct malicious code is present in the examples, but the CI example contains a high-risk supply-chain pattern: an unpinned curl|sh installer (https://astral.sh/uv/install.sh). That single pattern increases supply-chain risk because it executes remote code on CI runners and could be used to exfiltrate data or run arbitrary commands if the remote script or domain is compromise