opencode-env-setup

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The deb.nodesource.com URL is an official NodeSource setup script (low risk), but the two astral.sh links host remote-install shell/PowerShell scripts from a third‑party/unknown domain (the PS1 is intended to be piped to iex), which are high‑risk vectors for malware distribution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime commands that fetch-and-execute remote scripts (curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash and curl -LsSf https://astral.sh/uv/install.sh | sh and irm https://astral.sh/uv/install.ps1 | iex) which download and run external code and are required for the setup, so they present a high-risk external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). Flags: the skill instructs running system-level installs and security-bypassing commands (e.g., "sudo apt install", "curl ... | sudo -E bash", and PowerShell with -ExecutionPolicy ByPass), which request elevated privileges and modify the machine's state.