happy-dreamina

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs at runtime to run a remote installer that downloads and executes a shell script via "curl -fsSL https://jimeng.jianying.com/cli | bash", which fetches and runs remote code and is presented as a required dependency for the CLI.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly directs the agent to run a remote shell installer (curl ... | bash) that writes to the user's machine and to run CLI commands that alter local state (including creating credential files), which encourages modifying the host system and is a security risk.