moai-lang-python

[Skill Scanner] Installation of third-party script detected This skill manifest is largely benign: it provides developer guidance and patterns consistent with its stated purpose. No code or embedded behavior indicates malware or credential harvesting. The primary security concerns are operational — recommending curl-based install from a third-party domain (astral.sh) and granting Bash execution in allowed-tools. If an agent running this skill has high privileges or network access and blindly executes recommended installs, that could lead to compromise. Review and vet any remote installer URLs before execution, and scope agent shell permissions tightly. LLM verification: Overall, the documentation-oriented fragment aligns with its intended informational purpose but contains risky guidance (unpinned dependencies and third-party script installation) that could become a supply-chain risk if translated into actual install steps. There is no active malware or data flow demonstrated; the primary risk is secure-by-default packaging practices and clear guidance to pin versions and vet scripts.