Missing User Warnings
Low
- Confidence
- 85% confidence
- Finding
- The README instructs users to fetch executable skill content and a codebook directly from a remote GitHub URL into a local skills directory using curl, without integrity verification, version pinning, or warnings about trust and overwrite risks. If the remote repository is compromised, changed unexpectedly, or the local path already contains trusted files, users could silently install or replace skill content with malicious instructions.
