Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The skill explicitly recommends piping a remotely fetched script directly into `sh`, which executes unreviewed code from an external domain with the user's privileges. In an agent skill context this is especially risky because it normalizes blind remote code execution during installation without any integrity verification or safety warning.
