zig

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] The skill is principally benign documentation: examples, API migration guidance, and references for Zig v0.15.2 are consistent with its stated purpose. However, the installation instructions for 'anyzig' are risky: they instruct downloading a prebuilt binary from a personal GitHub Pages URL and moving it to /usr/local/bin (replacing the system zig) with no verification steps. That install pattern is disproportionate and could enable supply-chain compromise if the download is malicious or the host is compromised. Recommend marking the download instructions as cautionary: require checksums/signatures, recommend installing to user-local paths (not overwriting system compilers), or prefer installing from the project's official release assets or trusted package managers. Aside from that, there is no embedded malware or obfuscation in the document itself. LLM verification: The provided SKILL.md is benign documentation for Zig 0.15.2 and contains no embedded executable or obfuscated code. The primary security concern is supply-chain: direct links to downloadable executable tarballs on a personal GitHub Pages host (marler8997.github.io) without checksum or signature verification guidance. Recommend removing or replacing personal-hosted binary links with official distributions, or at minimum adding explicit checksum/signature and verification instructions, and warnin