fuelcheck

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URL is a direct download of an install.sh from a personal GitHub repository — although GitHub is a reputable host, piping and executing an unverified shell script from an unknown repo can run arbitrary code and is therefore risky unless you inspect and verify the script and the repository's authenticity.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires installing fuelcheck using a curl-pipe command that fetches and executes remote code (https://github.com/emanuelarcos/fuelcheck/releases/latest/download/install.sh | sh), which is a runtime installation step that directly runs external code and is required for the skill to operate.