chezmoi-creator

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.95). The skill's Codespaces bootstrap and install examples fetch and execute a remote installer at runtime from https://get.chezmoi.io (via curl/wget piped into sh or captured and sh -c), which runs remote code and is relied on for installing/bootstrapping chezmoi, so this is a high-confidence runtime risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly includes a sudo-based installation example (sudo sh -c "$(curl -fsLS get.chezmoi.io)" -- -b /usr/local/bin) which instructs obtaining elevated privileges and running a remote install command, representing a meaningful push to modify system state with escalated rights.