dart-setup-ffi-assets

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Suspicious: this is a direct GitHub Releases download URL serving precompiled native binaries from an unverified/unknown org (common malware vector) — direct executable downloads from personal repos/releases should be treated as high risk unless cryptographic verification and a trusted publisher are confirmed.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The hook explicitly calls HttpClient.getUrl(Uri.parse('https://github.com/my-org/my-native-repo/releases/download/$version/$target')) at runtime to download precompiled dynamic libraries which are then added as CodeAsset native binaries (i.e., remote native code that will be executed/loaded), so this URL is a runtime external dependency delivering executable code.