mirrord-config

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) The skill is conceptually benign and its capabilities align with its stated purpose (generate/validate/fix mirrord.json using packaged schema + the mirrord CLI). The primary security concern is the instruction to install mirrord via curl | bash (raw GitHub script execution) and the implicit trust placed in the external mirrord binary run during validation. Those steps create a supply-chain risk (remote code execution and potential network telemetry/exfiltration by the external installer/CLI) and should be treated with caution: prefer package manager installs with verified provenance, or require explicit manual review of installer scripts and provide hash/signature checks. No direct evidence of malware or obfuscation exists in the skill content itself. LLM verification: The mirrord-config skill is effectively aligned with its primary purpose of generating and validating configurations. However, it exhibits high-risk installation guidance (curl | bash and external installers) that introduces significant supply-chain and host-security risks. To improve security posture, replace or supplement remote-install steps with verifiable, signed artifacts via official package managers or pre-vetted binaries, add checksum/signature validation, and clearly separate tool inst