render-cli

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes installation commands that fetch and execute remote code at runtime (e.g., curl -fsSL https://raw.githubusercontent.com/render-oss/cli/refs/heads/main/bin/install.sh | sh, git clone git@github.com:render-oss/cli.git && go build, and the CI download https://github.com/render-oss/cli/releases/download/v1.1.0/cli_1.1.0_linux_amd64.zip), so these external URLs directly execute code and are required dependencies.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs installing system-wide binaries (e.g., curl | sh install and a CI step doing "sudo mv ... /usr/local/bin"), which directs the agent to perform privileged filesystem modifications and run potentially untrusted install scripts—actions that can compromise the host state.