crowdsec

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The docs include install-time commands that fetch and execute remote scripts at runtime (e.g. "curl -s https://install.crowdsec.net | sudo sh", "fetch https://raw.githubusercontent.com/crowdsecurity/pfSense-pkg-crowdsec/refs/heads/main/install-crowdsec.sh" then "sh install-crowdsec.sh", and "curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec-apache/script.deb.sh | sudo bash"), which clearly pull remote code that is executed and are relied on for installation.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs the agent to run privileged commands (run as root or via sudo), edit system files under /etc, control systemd units, and install/configure bouncers/firewall rules — all of which modify the host state and require elevated privileges.