varlock

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The presence of a direct installer script (https://varlock.dev/install.sh) served from a project domain combined with an unverified GitHub user means there's an elevated risk if you curl | sh without auditing the code; the other links (api.example.com placeholder, the project homepage, the GitHub repo—safer if inspected—and localhost:3000) are not inherently malicious but do not eliminate the risk of the install.sh delivery vector.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs installing the Varlock CLI by fetching and executing a remote installer (curl -sSfL https://varlock.dev/install.sh | sh -s -- --force-no-brew), which runs remote code during setup and is a required dependency for the skill.