provisioning-with-comtrya

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Moderate-to-high risk: they include a remote installer endpoint (get.comtrya.dev) typically used to pipe scripts to sh, a direct archive download (example.com/tool.tar.gz) that could contain binaries, and a generic GitHub user repo (github.com/user/dotfiles.git) that may include executable/install scripts—none are verified official/CDN sources and should be validated before download or execution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports fetching and ingesting untrusted third-party content—e.g., file.download from arbitrary URLs, git.clone of public repo URLs, binary.github downloads, and package.repository additions—which the agent is expected to read or act on (including file.copy with templating, file.unarchive, and subsequent command.run), exposing it to potential indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs privileged operations (sudo/comtrya apply, privileged: true), creating users/groups, enabling system services (systemctl), and writing to system paths (e.g., /usr/local/bin), which directly modify and can compromise the host system state.