environment-setup-guide
skills-sh:sickn33_antigravity-awesome-skills__environment-setup-guide
View sourceFirst Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
14
Score
61/100
Findings (14)
Code block labeled "markdown" contains executable content
## Setting Up Node.js Development Environment
### Prerequisites
- macOS, Linux, or Windows
- Terminal/Command Prompt access
- Internet connection
### Step 1: Install Node.js
**macOS (using Homebrew...Align the tool description with what the code actually does. If the description says one thing but the code does another, update the description to be accurate or fix the code.
Likely FP if the NLP analyzer misinterpreted technical jargon or the description accurately describes behavior through domain-specific terminology.
Detects skills fetching external URLs to use as runtime instructions
curl -fsSL https://raw.githubusercontent.com + instructionsPin the downloaded resource to a specific version or commit hash, and verify its integrity with a checksum (SHA-256). Avoid fetching scripts or binaries from arbitrary URLs at runtime.
Likely FP if the download URL points to a well-known CDN or package registry (e.g., npmjs.com, pypi.org) and is pinned to a specific version.
Detects PowerShell Invoke-Expression, Start-Process, and related execution commands
iex (Restrict PowerShell execution to specific allowlisted commands. Use -ExecutionPolicy Restricted and avoid Invoke-Expression with dynamic strings.
Likely FP if the match is in documentation showing PowerShell setup for a legitimate tool (e.g., installing a module via Install-Module).
Detects privilege escalation patterns like setuid, chown root, or sudo with shell commands
sudo shAvoid depending on packages that could be subject to typosquatting or name confusion. Verify package ownership, check download counts, and audit the package source before adding dependencies.
Likely FP if the flagged package is a well-known, high-download-count package from a verified publisher.
Detects chained commands using shell operators with dangerous operations
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Node.js
brew install node
\`\`\`
**Linux (Ubuntu/Debian):**
\`\`\`bash
# Update package list
sudo apt update...Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.
Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.
Detects system-level package installation via brew, apt, yum, or dnf
brew install nPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects system-level package installation via brew, apt, yum, or dnf
apt install -y nPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects instructions to modify shell config files for environment persistence
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.bashrcAvoid modifying shell profiles (.bashrc, .zshrc, .profile) programmatically. Instruct users to add PATH entries manually, or use a version manager (nvm, pyenv) instead.
Likely FP if the match is documentation showing how to add a tool to PATH manually, especially if it only appends to PATH without modifying other settings.
Detects system-level package installation via brew, apt, yum, or dnf
brew install pPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects system-level package installation via brew, apt, yum, or dnf
apt install pPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects pip install of arbitrary packages that modify the host environment
pip install flPin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.
Likely FP if the match is in documentation showing how to install the skill's own PyPI package.
Detects execution of shell script files via bash/sh command or direct invocation
sh get-docker.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects Docker or docker-compose commands passing credentials via environment variables
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=Remove credential values from Docker environment flags (-e) and docker-compose environment sections. Use Docker secrets, .env files (in .dockerignore), or a secrets manager.
Likely FP if the Docker environment variable has an empty or placeholder value (e.g., -e API_KEY= or -e PASSWORD=changeme) in setup documentation.
Detects instructions to modify shell config files for environment persistence
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.bashrcAvoid modifying shell profiles (.bashrc, .zshrc, .profile) programmatically. Instruct users to add PATH entries manually, or use a version manager (nvm, pyenv) instead.
Likely FP if the match is documentation showing how to add a tool to PATH manually, especially if it only appends to PATH without modifying other settings.