setup-dev

[Skill Scanner] URL pointing to executable file detected All findings: [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is a developer-focused setup and troubleshooting guide for running Sentry locally and is largely consistent with its stated purpose. The primary security concerns are supply-chain patterns: it instructs users to run remote install scripts via curl | bash (Homebrew and devenv install script) and to install a browser extension that can access cookies. These patterns raise supply-chain and credential-risk but are common in developer onboarding docs. There is no direct evidence of malicious intent or code that exfiltrates data to attacker-controlled domains in the provided text. Recommendation: treat the curl|bash install steps as high-risk operationally — reviewers or users should inspect the remote install script before executing, prefer cloning the repository and running the installer locally, and be cautious with installing browser extensions and seeding credentials. For CI/automated environments, pin versions and avoid unverified pipe-to-shell installs. LLM verification: This file is a legitimate, operational developer onboarding guide for Sentry. The primary security issues are supply-chain and operational: unverified remote script execution (curl | bash) without pinned commits or checksums, recommendations that could cause destructive local data loss (docker rm -f ...), a weak hardcoded dev superuser password, and advising installation of a browser extension without vetting guidance. There is no explicit malicious code or evident exfiltration in the provided t