new-project-setup

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs are high-risk: they point to a direct release tarball and raw GitHub install scripts (curl|bash and irm|iex) from accounts/repositories of unclear provenance, which is a common malware distribution pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). Step 2 invokes sync-template, which “self pull[s] from rheinmir/setup@orca” and installs skills; that runtime pull can ingest outsider-authored free text (skill SKILL.md / template content) into the agent’s LLM context via the installed skills’ instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clearly fetches and executes remote code at runtime (e.g., downloads and extracts a binary from https://github.com/rtk-ai/rtk/releases/latest/download/rtk-x86_64-unknown-linux-musl.tar.gz and pipes/executes scripts from https://raw.githubusercontent.com/JuliusBrussee/caveman/main/install.sh and https://raw.githubusercontent.com/JuliusBrussee/caveman/main/install.ps1; the harness installer also clones rheinmir/setup@orca), so these URLs are runtime dependencies that can execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill performs system-level installs and modifications (extracting a downloaded binary into /usr/local/bin, running remote install scripts like curl|bash, installing global tools, and patching agent config files), actions that modify the machine state and may require sudo, so it should be flagged.