Missing User Warnings
Medium
- Confidence
- 95% confidence
- Finding
- The code downloads a ZIP from a remote URL and extracts it to disk automatically, with no integrity verification, no path sanitization checks, and no explicit user confirmation about the network fetch and filesystem write. In a security scanner context, this is risky because scanning an untrusted skill should not itself perform unsafe archive extraction, and a crafted ZIP could abuse extraction behavior or cause unexpected local writes.
