sota-devsecops

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Most entries are legitimate supply‑chain, registry, or internal service endpoints (npm, PyPI, Sigstore/Rekor, GitHub workflow identities, internal proxies, OIDC token issuer, Kubernetes service) and are not themselves malicious, but the direct-download links to unknown domains (releases.example.com/tool-1.4.2-linux-amd64.tgz and install.example.com/tool.sh) are unverified direct installers and represent high‑risk distribution vectors that could deliver malware if not validated.