cm

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Although the URLs are hosted on GitHub (a reputable platform), they point to an unknown/personal account and include a direct raw .sh install script (curl | bash) and repo clones from an unverified source—classic high-risk indicators because running unreviewed install scripts can install arbitrary/malicious binaries.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's primary workflow (e.g., "cm context" which returns historySnippets from the CASS episodic memory and "cm onboard read /path/session.jsonl --template" which returns sessionContent) explicitly ingests and uses raw cross-agent session logs (user-generated, potentially remote/untrusted) as part of decision-making and rule creation, so third‑party content can materially influence tool actions and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The docs contain install-time commands that fetch-and-execute remote scripts (e.g., curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/cass_memory_system/main/install.sh | bash, curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash, and git clone https://github.com/Dicklesworthstone/cass_memory_system.git followed by bun run build), which run remote code during setup and therefore present a high-confidence runtime code-execution risk.