cmux-freestyle

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The links point to a public GitHub repo and a raw install.sh that, if executed, will download and run binaries and configure networking to route traffic through a third‑party Tailscale host (subrouter-team.tail41290.ts.net), so while the sources are GitHub-hosted (which can be legitimate) executing the remote script and routing API traffic through an external tailnet present clear security and privacy risks.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill provides a runtime one-liner that fetches and executes a remote install script (curl -fsSL https://raw.githubusercontent.com/manaflow-ai/cmux-freestyle/main/install.sh | bash) and alternatively instructs cloning https://github.com/manaflow-ai/cmux-freestyle.git and running ./setup.sh, so remote content is fetched at runtime and executed.