but

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). This is high risk: it's a direct .sh installer served from an unverified third‑party domain (curl | sh style installation) which can execute arbitrary code and is not a known official/verified vendor.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's mandatory agent workflow requires running but pull and but status --json (see "EVERY new agent session..." and "IMPORTANT for AI agents: Add --json flag"), which ingest and require the agent to read upstream repository contents, diffs, commit/PR messages and other remote user-generated data (e.g., GitHub/forge), so untrusted third‑party content can materially influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's installation instructions include a command that downloads and executes remote code ("curl -sSL https://gitbutler.com/install.sh | sh"), which is a required installer for the GitButler CLI used by the skill and thus can execute arbitrary remote code.