meta-docs

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Suspicious — it's a direct link to an install.sh on an external/uncertain domain (astral.sh) and the skill explicitly recommends piping curl to sh, which can execute arbitrary code and is a common malware distribution pattern.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's prerequisites instruct running curl -LsSf https://astral.sh/uv/install.sh | sh which fetches and immediately executes remote code to install the required "uv" runtime, meaning the URL directly causes remote code execution and is a required dependency for using the skill.