Software Installation Assistant

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent x-cmd software-installation lookup helper, with the main caution that installing x-cmd can involve running a remote installer script.

This skill is reasonable for looking up software installation commands. Before letting it help install x-cmd itself, prefer the documented Homebrew or manual-review path, and avoid `curl ... | sh` in sensitive environments unless you explicitly accept the risk.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

If the user chooses the auto-install route, code from get.x-cmd.com runs on their machine and could affect their user environment if the source or network path is compromised.

Why it was flagged

The guide documents a curl-to-shell installer from an external source, which is a supply-chain/code-execution exposure. It is purpose-aligned and clearly warned about, with safer alternatives and consent guidance.

Skill content

**⚠️ WARNING:** This executes remote code without manual review.

```bash
curl -fsSL https://get.x-cmd.com | sh
```

... **Only proceed with auto-install if user explicitly consents**

Recommendation

Prefer the Homebrew or download-review-execute method, and only use the auto-install command in disposable or low-sensitivity environments after explicit approval.