cto-playbook

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). This is a direct link to a shell installer on an external domain (astral.sh) intended to be piped to sh — a high‑risk pattern because it grants arbitrary code execution from an unvetted/unknown host and can readily distribute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's CI/install instructions require running "curl -LsSf https://astral.sh/uv/install.sh | sh" to install uv (used to run uvx snyk-agent-scan), which fetches and executes remote code at runtime and is presented as a required dependency.