The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The installation script (install.sh) and the primary runner (ubs) fetch language-specific analysis modules and the ast-grep binary from GitHub. The runner verifies these downloads against hardcoded SHA-256 checksums before execution to mitigate supply-chain risks.
[COMMAND_EXECUTION]: The tool orchestrates several command-line utilities, including ripgrep for fast text searches, ast-grep for structural analysis, and jq for merging JSON reports. It may also invoke the dotnet CLI if scanning C# projects.
[REMOTE_CODE_EXECUTION]: Automated scanners flagged the curl | bash installation pattern. This command executes the installer from the author's repository (Dicklesworthstone/ultimate_bug_scanner). This is the intended distribution method for the tool.
[SAFE]: The security alerts regarding homoglyphs, command injection, and unsafe deserialization (e.g., pickle.loads in test-suite/python/buggy/security_injection.py) refer exclusively to files within the test-suite/ directory. These are intentionally malicious fixtures used to verify that the scanner correctly identifies such vulnerabilities. These paths are explicitly excluded from analysis by the .ubsignore configuration.

ubs