First Seen
Feb 19, 2026
Last Scanned
Feb 22, 2026
Findings
2
Score
75/100
Findings (2)
Detects downloading a binary file followed by making it executable
curl -L https://github.com/Ikana/temporal/releases/latest/download + chmod +xPin the download to a specific version tag or commit hash. Verify the downloaded file's checksum before using it. Avoid piping curl output directly to a shell.
Likely FP if downloading from an official, well-known domain (e.g., deno.land, rustup.rs) with HTTPS, though this pattern remains risky even with trusted sources.
Detects execution of shell script files via bash/sh command or direct invocation
./scripts/install.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.