agentskills-io

[Skill Scanner] Code execution from unpinned remote source (uvx/pipx + git URL) Report 1 is the strongest baseline, accurately reflecting the repository's purpose and operational workflow. The improved assessment adds concrete security-oriented observations about external tooling and configuration pitfalls, delivering a more complete, actionable evaluation while maintaining benign default risk posture. LLM verification: The document is legitimate documentation for creating and validating agent skills and is not itself malicious. However, it instructs users to install and execute remote code from a git+https URL without pinning or integrity checks. This download-and-execute pattern is a material supply-chain risk: if the remote repository or its dependencies are compromised, arbitrary code could run on users' machines. Recommend replacing unpinned installation commands with pinned tags/commit hashes, providing c