update-claude-code

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs runtime installation of remote code via "npm install -g @anthropic-ai/claude-code@latest" (and also references the remote installer URL https://claude.ai/install.sh), which fetches and executes external code and is required for the skill to perform the update.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). Yes — the skill explicitly instructs the agent to bypass the application's automatic rollback mechanism, perform global npm installs and delete local version directories (rm -rf), which actively modifies the machine state and circumvents built‑in protections.