popebot-doctor

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's repair routine invokes "npm install" at runtime (execSync in lib/repair.js) which will fetch and install packages from the npm registry (e.g., https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz), thereby downloading remote code that can run (postinstall scripts) and is relied upon to repair/restore skills.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill provides automated "repair" functionality (popebot_doctor_repair, autoRepair, installation guidance, permission fixes) that can modify files, install tools, and change permissions — potentially altering system state and requiring elevated privileges — even though it does not explicitly instruct privilege escalation, user creation, or specific system-service edits.