numerai-model-upload

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill is documentation and workflow guidance for creating and uploading Numerai model pickles. The capabilities, required credentials, installation sources, and data flows are internally consistent with its stated purpose. I found no code or instructions that indicate credential harvesting, data exfiltration to unknown third parties, obfuscated malicious logic, or backdoors. The main risks are operational: users should inspect any install scripts fetched via curl | bash and protect their Numerai API tokens. Overall, the content appears benign and appropriate for the stated task. LLM verification: This skill/instruction document is coherent with its stated purpose and contains expected operations for creating and testing Numerai-compatible pickles. No direct malicious code is present in the provided text. However, there are legitimate supply-chain and operational risks: (1) recommending cloudpickle for serializing executable callables introduces a code-execution risk if pickles are loaded from untrusted sources, (2) piping a remote install script (curl | bash) is high-risk practice and sh