nix-setup

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill ships runnable installers and build steps that fetch and execute remote code at runtime — e.g., the devbox installer curl | bash (https://get.jetify.com/devbox), the Determinate Systems Nix installer curl | sh (https://install.determinate.systems/nix) and the setup_nix.sh TARBALL_URL fetch (https://releases.nixos.org/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-${SYS}.tar.xz) as well as apm.nix's fetchurl from GitHub releases (https://github.com/microsoft/apm/releases/download/...), all of which will download and install/execute remote binaries when the templates/scripts are run.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs running system installers and a setup_nix.sh that writes to /etc/nix/nix.conf and /etc/profile.d (disabling sandboxing, altering system-wide config), which are system-file modifications that require root and thus change the machine state.