install-script-generator

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs point to a raw GitHub-hosted shell script (install.sh) from an unverified/placeholder user/repo — a direct .sh download intended for piping to bash is high-risk because it can execute arbitrary commands without review; the second URL is an incomplete root URL.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill repeatedly instructs (and generates) a one-liner that fetches and executes a remote installer (e.g., "curl -sSL https://raw.githubusercontent.com////install.sh | bash"), which is a runtime fetch of remote code that will be executed and thus presents a high-risk external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.95). The skill explicitly instructs the agent to generate and write system-level installer scripts (and to sync/update the repository), includes logic to detect and invoke sudo and package managers, and endorses one-liner curl|bash installs that will modify system state and require elevated privileges, so it pushes the agent to perform privileged, state-changing operations.