mobile-use-setup

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). astral.sh/uv/install.sh is high-risk because it is a direct shell script served from a third‑party domain and the skill instructs piping it to sh (allowing arbitrary remote code execution), whereas platform.minitap.ai appears to be an official service domain and is not a direct executable download.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The create-project.sh script performs a runtime curl to fetch an LLM configuration template from raw GitHub (https://raw.githubusercontent.com/minitap-ai/mobile-use/main/llm-config.override.template.jsonc), and that fetched JSONC is used as the agent's local LLM config which can directly control prompts/instructions—so this is a runtime external dependency that can influence agent behavior.