data360-orchestrate

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URLs point to an unvetted GitHub user/repo and include a direct raw Python installer (raw.githubusercontent) plus git clone targets (one with a malformed trailing brace); pulling and running raw installer scripts or cloning and executing community plugins from an unknown account can run arbitrary code and is therefore high-risk unless you first audit the repo, verify maintainer reputation, and run in a safe sandbox.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The bootstrap script (scripts/bootstrap-plugin.sh) clones and installs code from the external git repository https://github.com/Jaganpro/sf-cli-plugin-data360.git at runtime (git clone → yarn install → npx tsc → sf plugins link), which fetches and executes remote code and the skill relies on that external plugin as a required runtime dependency.