nix-setup

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The included assets/setup_nix.sh explicitly downloads and unpacks a remote Nix tarball at runtime from https://releases.nixos.org/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-${SYS}.tar.xz and then invokes the unpacked nix tooling (nix-store, etc.), which is a fetch-and-execute of remote code required to bootstrap Nix in the documented workflows.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs running an installer and a provided setup_nix.sh that writes to /etc/nix/nix.conf and /etc/profile.d, disables sandboxing, and changes system-wide configuration (actions that require root/sudo and alter machine state), so it pushes the agent to modify the host system.