pipelex-setup

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The domain hosts a direct install.sh script and the skill explicitly instructs piping curl output into sh — a high-risk pattern for arbitrary code execution even if a privacy-policy page exists, so the download source should be treated as suspicious until the script and domain are verified.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.95). The skill instructs the user at runtime to run a remote install script via "curl -fsSL https://pipelex.com/install.sh | sh", which fetches and immediately executes remote code, so this external URL is a high-risk runtime dependency.