autoresearch

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Most URLs are reputable GitHub/X pages (low risk), but the presence of a direct install script (https://astral.sh/uv/install.sh) intended to be run via curl | sh from a third‑party domain is a high‑risk indicator, so the bundle should be treated as potentially unsafe until the script is inspected and verified.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The setup and install steps fetch and execute remote code at runtime — notably the installer run via "curl -LsSf https://astral.sh/uv/install.sh | sh" and the repository cloned from "https://github.com/karpathy/autoresearch" (which provides train.py and other code the agent will run) — so these URLs provide remote code that is fetched and executed as required dependencies.