assistant

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The Pinecone signup page (app.pinecone.io) is an official web signup page and low risk, but the astral.sh link points directly to an install.sh script — running remote shell scripts (curl | sh) from a small/unverified domain is a high-risk delivery vector that could distribute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisites instruct users to run a remote install script that is fetched and executed (curl -LsSf https://astral.sh/uv/install.sh | sh) and the skill requires the resulting 'uv' tool to run its scripts, so this URL pulls and executes remote code that the skill depends on.