docx-reader

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). This is a direct link to an installer shell script (install.sh) hosted on a third‑party domain (astral.sh); executing remote .sh files is intrinsically risky because they run arbitrary code and the host is not a widely recognized official package source, so verify authenticity/signatures before running.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires the external tool "uv" and its install instructions explicitly instruct running remote installer scripts that fetch and execute code (curl -LsSf https://astral.sh/uv/install.sh | sh and irm https://astral.sh/uv/install.ps1 | iex), so the skill depends on remote content that would execute code if installed as directed.