Primary finding
setup.sh pipes remote install script to shell without verification
highsecurityhigh
- gitlawb/scripts/setup.sh:11-13
The setup script downloads and executes an arbitrary remote shell script with no checksum, signature, or pinned-version verification. Anyone able to MITM or compromise gitlawb.com (or its TLS chain) can achieve arbitrary code execution on every user running setup.sh. Because setup.sh is in `scripts/` and intended to be run by users/agents onboarding to the skill, this propagates the risk to every consumer of the skill. The README documents the same pattern, but inside an automated helper script the risk is materially worse: agents may run setup.sh without the user reading it. At minimum a checksum verification step (download to tempfile, verify sha256, then execute) should be used; ideally prefer the npm or Homebrew install paths which are already documented as alternatives in SKILL.md.
Recommendation
Either (a) replace the curl|sh with `npm install -g @gitlawb/gl` (already listed as the recommended install method in SKILL.md), or (b) download install.sh to a temp file, verify a pinned SHA-256 published out-of-band, and only then execute. Also fail closed if the download fails (currently `set -euo pipefail` will catch curl failures, but the piped `sh` masks the exit code on some shells — use `set -o pipefail` explicitly and check `${PIPESTATUS[@]}`).