youdotcom-cli

Avoid installing packages from private or unofficial registries specified in skill instructions. Verify the registry URL is legitimate and use scoped packages with registry configuration.

Likely FP if the private registry is a well-known enterprise registry (e.g., GitHub Packages, Artifactory) documented in the project setup.

Avoid installing packages from private or unofficial registries specified in skill instructions. Verify the registry URL is legitimate and use scoped packages with registry configuration.

Likely FP if the private registry is a well-known enterprise registry (e.g., GitHub Packages, Artifactory) documented in the project setup.

Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.

Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.

Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.