quickstart

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most links are official Pinecone documentation and safe, but the presence of a direct shell installer (https://astral.sh/uv/install.sh) that the prompt instructs users to curl and pipe to sh is a high-risk pattern because arbitrary remote .sh scripts can execute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes a troubleshooting step that tells users to run curl -LsSf https://astral.sh/uv/install.sh | sh to install the uv runner, which fetches and immediately executes remote code and is effectively required to run the uv run commands used at runtime.