developer-workflow

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill is coherent with its stated purpose (managing monorepo workflows via mise), but it contains high-risk supply-chain patterns: an unpinned curl | sh installer and a persistent eval appended to the user's shell startup. Those patterns increase the attack surface because a compromised installer or mise.run domain could execute arbitrary commands with the user's privileges. No active exfiltration or hidden backdoor is visible in the document itself, but the installer pattern is a significant supply-chain risk. Recommend replacing curl|sh with package-manager installs or providing pinned checksums/signatures, and advising manual review before appending to shell startup. Treat the skill as suspicious and review installer sources before use. LLM verification: The skill documentation is functionally legitimate for monorepo developer workflows using 'mise', but it contains a high-risk supply-chain pattern: an unpinned pipe-to-shell installer (curl https://mise.run | sh) and instructions to persistently enable the tool in shell startup. There is no evidence of embedded malware in the text, but these practices materially increase the attack surface (especially for CI agents holding secrets). Recommended mitigations: replace pipe-to-shell with pinned rele