but

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Suspicious: this is a direct download of an install.sh from an external domain (gitbutler.com) — executing a remote shell script (curl | sh) is high-risk because it can run arbitrary code and the domain/package are not an established, verifiable vendor or official package manager.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required workflow (SKILL.md: "EVERY new agent session... Sync first → but pull" and repeated guidance to run but status --json and parse remote state) instructs the agent to fetch and parse upstream/forge data (git remotes, PRs, commit messages) which are user-generated/untrusted third‑party content and can directly affect branch/commit/push decisions, so it can enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes an installation step that tells agents to run "curl -sSL https://gitbutler.com/install.sh | sh", which fetches and executes remote code at runtime (https://gitbutler.com/install.sh) and is presented as a required install dependency.