ileap

The iLEAP spec and accompanying documentation are normative specifications and implementation guidance and are not themselves executable or malicious. However, documentation includes pragmatic examples that instruct users to fetch and execute an external ACT runner script via curl | bash (raw.githubusercontent.com). This download-and-execute pattern, and the provided CI example that runs the same script with repository secrets, are legitimate convenience patterns but constitute a supply-chain risk: an attacker could modify the remote script or compromise the hosting account and harvest credentials or run arbitrary commands in users' environments. There are no hardcoded secrets or obfuscated payloads in the spec; network endpoints referenced are legitimate project domains. Recommendation: prefer pinned, verifiable releases (SHA256 checks, signed releases, or fetching a release asset and verifying signature) or instruct users to inspect downloaded scripts before execution; avoid curl|bash in CI with secrets without additional safeguards.