transcript-fixer

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The package includes direct links to .sh and .ps1 installers hosted on an unrecognized domain (astral.sh) with explicit curl|sh and PowerShell-iex install commands—classic high-risk behavior for malware distribution (open.bigmodel.cn may be legitimate but does not offset running unknown installers directly).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill mandates using the "uv" runner and the Prerequisites include install commands that fetch and execute remote scripts (curl -LsSf https://astral.sh/uv/install.sh | sh and powershell -c "irm https://astral.sh/uv/install.ps1 | iex"), which downloads and runs remote code as a required setup step.