wpm

[Skill Scanner] Pipe-to-shell or eval pattern detected This skill documentation appears to be a legitimate command reference for a WordPress package manager. There are no direct signs of malware or malicious code in the provided text. The main supply-chain risk is the installation method: executing a remote script fetched via curl | bash or PowerShell iex without documented integrity verification (checksums, signatures) is risky and could allow an attacker who compromises the wpm.so host or its DNS to deliver arbitrary code. The WPM_TOKEN usage for publishing is appropriate, but users must protect the token and the registry endpoint. Recommend: treat the installer script as a sensitive operation (review the script before executing, prefer documented signed releases or package manager installs), and consider adding package signing/verification and more explicit registry URLs and integrity checks in documentation.