LUMP Depot
You find a skill on someone's blog. The comments say it works great. You run the install command.
That's the whole attack surface right there.
The server decides what you get
A URL is just an address. What lives at that address is up to whoever controls the server, and they can serve different content to different visitors. By IP, by country, by ISP, by the org your request resolves to. The community vetted it from their machines. You got a different file.
It's trivial to set up, and it works because the community's approval is the cover. Ten people said the skill was clean. They were right, for them. A site can be a honeypot for a specific government agency, university network, or company subnet while looking completely fine to everyone else.
GitHub doesn't save you
People treat GitHub raw URLs as if they're pinned. They're not. The file at raw.githubusercontent.com/user/repo/main/skill.md is whatever's on main right now. Push a change, the URL changes. Account gets compromised, same deal.
You install a skill today, recommend the link next week, and by then it's different. The URL doesn't bind to content. It binds to a location. Locations change. A popular repo is a bigger target, not a safer one.
Hash the address, not the server
A CID (Content Identifier) is a cryptographic hash of the file's bytes. Change one byte, the CID changes. You can't swap the file without invalidating the address. The address and the content are the same thing.
That's the standard IPFS uses. Fetch a skill by CID from any public node and you get exactly what was published. No server deciding what you see. No IP-targeted bait-and-switch. A honeypot can't serve you a different file under the same CID; the math won't allow it.
Share skills by CID, not by URL
A URL asks people to trust your server indefinitely. A CID is a commitment: this exact set of bytes, nothing more. Anyone who fetches it from IPFS can confirm they have the same file you published, the same file anyone else reviewed. That guarantee doesn't expire.
If someone can't give you a CID, you don't actually know what you're running.
install.sh is worse
A skill.md tells an LLM how to behave. An install.sh runs as you, with your permissions, and can call home wherever it wants. The classic curl https://example.com/install.sh | bash is still everywhere. People have been warning about it for years. It persists because the tools for doing it better haven't been widely adopted yet.
Read the file before you run it. That's the floor. But reading it doesn't help if the server sends a different file to the next person you share the link with.
tl;dr: A URL is a promise about a location, not content. Share skills and scripts by CID instead. The CID is the hash, the hash is the proof, and you can't swap the file without changing the address.