Pget
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward guide for using the pget download tool, with ordinary cautions around downloading/extracting files and installing a CLI binary with sudo.
Before installing or using this skill, make sure pget comes from a trusted source, avoid unverified sudo installs when possible, and review URLs, manifests, extraction targets, and overwrite flags so the agent does not write files somewhere unintended.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user or agent chooses the wrong URL, archive, manifest, or destination, files could be written or overwritten in unintended locations.
The skill documents commands that download remote content, extract archives, process manifests containing multiple destination paths, and optionally overwrite existing files.
`pget <url> <dest> -x`; `pget multifile <manifest-path>`; `--force` to overwrite
Use trusted URLs and manifests, review destination paths before running bulk downloads, and only use `--force` when overwriting is intentional.
Installing an unverified latest binary with sudo could expose the system if the download source or release artifact is compromised.
The reference install method downloads the latest CLI binary directly into a privileged system path without pinning a version or showing checksum/signature verification.
sudo curl -o /usr/local/bin/pget -L "https://github.com/replicate/pget/releases/latest/download/pget_$(uname -s)_$(uname -m)"
Prefer a trusted package manager or verify the release version and checksum/signature before installing; avoid sudo unless installing to a system path is necessary.