orca-sec-scans

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's mandatory install step fetches and pipes a remote script to the shell (curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh ...), which downloads and executes remote code at runtime to install Trivy, so it is a runtime external dependency that executes code.