beads-task-tracker

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The URL points to a raw GitHub-hosted shell install script (install.sh) from a known author (steveyegge), which lowers provenance concerns, but any direct .sh download intended to be piped to bash is inherently risky because it can execute arbitrary code without review.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes an installation command that fetches and pipes a remote shell script to bash — "curl -fsSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash" — which downloads and executes remote code and is presented as the required way to install the bd tool the skill depends on.