trapiche-deploy

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs point to an unknown third‑party service (trapiche.cloud / *.trapiche.site) that explicitly supplies a direct install.sh (curl ... | bash) and an anonymous deploy API/subdomains — a high‑risk pattern because piping remote shell scripts to bash and uploading project files to an untrusted service can execute or distribute malware and exfiltrate sensitive data; localhost:8080 itself is benign but only an optional override.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill runs a runtime install command that pipes remote code to a shell ("curl -fsSL https://trapiche.cloud/install.sh | bash"), which executes code fetched from https://trapiche.cloud/install.sh and is required for the deploy workflow.