unit-test-remote

The document defines a legitimate verify-gate skill to run remote unit tests by invoking a local bits-ut binary. The specification itself does not contain malware, hard-coded credentials, or obfuscated code, but it depends on an external binary and unspecified network interactions. Primary risks: (1) supply-chain execution risk from running an unverified ~/.bits-ut/utd binary, (2) potential command/argument injection if implementation concatenates shell strings, and (3) potential exfiltration to unspecified remote MCP endpoints. Recommendation: enforce strict controls — verify/pin the bits-ut binary, avoid shell string concatenation (use exec with argument vectors), validate and sanitize parameters, document and whitelist remote endpoints and exact data transmitted, and restrict invocation to an auditable, minimal-privilege verify environment. If implementation details are available, review them for unsafe exec patterns, network endpoints, and binary provenance.