aipa-fundamentals

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). astral.sh/uv/install.sh is a direct .sh installer (commonly used with "curl | sh") hosted on a small third‑party domain and therefore represents a high‑risk distribution vector; aipriceaction.com is the project's website/documentation (low risk) but does not remove the danger of running the remote install script.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs runtime fetching/execution of remote code — e.g., the installation pipe "curl -LsSf https://astral.sh/uv/install.sh | sh" and the runtime use of "uvx aipa-cli@latest" (which fetches and runs the aipa-cli package) — so external content is executed during skill runtime.