setup-workflow-skills

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The URL is a direct raw.githubusercontent.com link to a shell installer (install.sh) from an unfamiliar GitHub account — a remote .sh intended to be fetched/executed can run arbitrary commands, so it is high risk unless you review the script and trust the repo.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs running curl -fsSL https://raw.githubusercontent.com/gastownhall/beads/main/scripts/install.sh | bash to install the Beads CLI, which fetches and executes public GitHub-hosted (third‑party/user-generated) code as part of the required workflow, allowing that external content to control agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes a runtime command that fetches and executes remote code—"curl -fsSL https://raw.githubusercontent.com/gastownhall/beads/main/scripts/install.sh | bash"—to install the Beads CLI, which is a required dependency if the CLI is missing.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). Yes — the skill tells the agent to install a third‑party CLI system‑wide via a curl | bash installer and to run initialization and sed commands that modify the repo and system state (operations that may require elevated privileges), so it actively changes the machine beyond read-only inspection.