beads

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These are links to a personal GitHub repo plus a direct raw install.sh (used in a curl | bash command) — while GitHub itself is common, running unreviewed shell scripts or installing from an unknown user’s repo can execute arbitrary code and is therefore high risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's install instructions explicitly fetch and execute remote code — e.g. curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/beads_rust/main/install.sh?$(date +%s)" | bash and cargo install --git https://github.com/Dicklesworthstone/beads_rust.git — which would run externally-sourced code as a required installation/runtime dependency.