gateway-setup

The code/documentation aims to provide a multi-tier gateway system for persistent AI agents with Redis-based event bridging and optional external channels. However, the presence of a remote curl | bash installer creates a significant supply-chain risk, as it allows remote code execution at install time. The overall design is coherent with the stated purpose, but the reliance on a remote installer without verifiable integrity checks, pinning, or signature verification makes the approach suspicious from a supply-chain security perspective. If this skill is intended for open distribution, it should replace the curl | bash pattern with pinned, signed installers (e.g., checksums, GPG verification), host installers on trusted registries, and provide explicit in-repo verification steps. Additionally, there should be clearer separation of concerns, explicit credential handling (especially for Telegram or other external channels), and a secure default configuration path to reduce risk. Overall risk: suspicious, leaning toward elevated risk due to download-execute pattern and external script dependency.