openclaw-unity-skill

Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.

Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.

Pin the curl/wget download to a specific URL with version and verify the downloaded file's SHA-256 checksum before using it. Prefer package manager installs over raw downloads.

Likely FP if the download is from a well-known canonical source (e.g., official GitHub release) and the documentation includes checksum verification steps.

Prevent URL redirection from bypassing SSRF protections. Validate the final destination URL after following redirects and block redirect chains that resolve to internal addresses.

Likely FP if the match is documentation about redirect handling behavior without an actual open redirect vulnerability.

Replace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.

Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.