actionlint

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes an explicit runtime install command that uses curl to fetch the latest release metadata from https://api.github.com/repos/rhysd/actionlint/releases/latest (and then downloads/extracts the referenced binary), and the go module path github.com/rhysd/actionlint/cmd/actionlint@latest can also pull and install remote code—both are runtime fetches that install/execute external binaries.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs installing a binary and even shows a command that extracts to /usr/local/bin (a privileged location), which directs the agent to modify system-wide files that typically require elevated privileges even though it doesn't explicitly call out sudo.