clawpilot-pair

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires installing and running remote npm packages at runtime (e.g., npm install -g @rethinkingstudio/clawpilot@latest and npm install -g cc-connect — see https://www.npmjs.com/package/@rethinkingstudio/clawpilot and https://www.npmjs.com/package/cc-connect), which fetch and execute remote code and are required for the skill to operate.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs installing/upgrading global packages (npm install -g), installing/starting gateway services, and preparing local management/bridge configuration — actions that modify system state and can require elevated privileges or change service/config files.