code-quality-audit

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains runtime commands that fetch and execute remote install scripts (e.g., curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin and curl -sfL https://raw.githubusercontent.com/gitleaks/gitleaks/master/scripts/install.sh | sh -s -- -b /usr/local/bin in scripts/core/install-tools.sh) and explicitly instructs the agent to WebFetch external guidance (e.g., https://camoa.github.io/dev-guides/llms.txt) at runtime to drive explanations — both are high-confidence runtime external dependencies that execute remote code or directly influence prompts.