bounty-hunter-starter

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URL points to a single GitHub repository owned by an unrecognized personal account and explicitly instructs cloning and running an install.sh script — a common malware distribution vector when from unvetted sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README and SKILL install steps direct users to git clone https://github.com/henrylu884-wq/bounty-hunter-starter-pack.git and then run ./install.sh, which fetches remote code that is installed and applied as runtime rules (YAML/actions) that directly control agent behavior—so this external URL is a runtime dependency that results in executing externally fetched code.