controller-cli

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The manifest/doc appears to describe a legitimate Starknet controller CLI with appropriate human-approval and least-privilege registration workflows. The principal security issues in this fragment are: (1) an unpinned pipe-to-shell installer (curl | bash) which is a high supply-chain risk and should be avoided, and (2) defaulting to a hosted RPC/paymaster (api.cartridge.gg) which centralizes transaction-related data and could expose metadata to a third party. There is no direct evidence in the supplied text of credential exfiltration, backdoors, obfuscated code, or remote control. Mitigations: do not run unpinned installers, obtain/verifiy release artifacts, prefer user-controlled RPC endpoints or self-hosted nodes, ensure strict local key file permissions, and review the installer and wrapper scripts before execution. LLM verification: The skill aims for secure CLI-based Starknet interactions with explicit network controls but contains high-risk supply-chain signals: curl | bash installation from raw GitHub, external install scripts, and credential-read patterns. Recommend moving to signed/pinned installers (preferred registry-based or package-manager distribution), removing latent credential access patterns from documentation, and enforcing verification steps for all external endpoints. Until mitigated, classify as SUSPICIOUS