kuroco-docs

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] Functionally the skill matches its stated purpose (search and sync of Kuroco docs). However, it instructs users/agents to run an unpinned remote script via curl | bash from raw.githubusercontent.com and passes a local filesystem path to that script. This download-and-execute pattern and lack of integrity verification represent a supply-chain risk and are disproportionate to a simple documentation sync (should prefer a pinned release, checksum, or clone-and-verify workflow). I classify this as SUSPICIOUS/vulnerable: not confirmed malware but the sync/install pattern is high risk and should be changed to a safer distribution (git clone with pinned commit, verify signature/checksum, or include the sync script locally). LLM verification: The skill correctly documents how to search and read local Kuroco documentation. However, it instructs agents/users to execute an unpinned remote shell script via curl | bash, which is a high-risk supply-chain pattern. While the provided file does not contain an explicit malicious payload, following its sync instructions could enable arbitrary remote code execution and compromise the host. Recommend removing or changing the download-and-execute flow to a safer, auditable mechanism (pinned git cl