Replace curl | sh install pattern to pass security audits

[jacksweeney5]

Summary

A prospective user (Jesse) flagged that several skills in omni-agent-skills are failing security audits (Snyk, Gen Agent Trust Hub) due to the curl | sh installation pattern for the Omni CLI. Their team's policy is that any skill with a failed security audit is not safe to use in their codebases, which is blocking adoption.

Skills affected:

• omni-query
• omni-model-explorer
• omni-model-builder
• omni-content-builder
• omni-content-explorer
• omni-embed
• omni-ai-optimizer
• omni-to-snowflake-semantic-view

Problem

The current install instruction:

curl -fsSL https://raw.githubusercontent.com/exploreomni/cli/main/install.sh | sh

Is flagged by both Snyk (E005/W012) and Gen Agent Trust Hub as a supply chain / remote code execution risk. This single issue accounts for the majority of security audit failures across all skills.

Desired outcome

Replace the curl | sh pattern with a more secure distribution method. Options to consider (not prescriptive on which):

• Package manager (Homebrew, npm global, etc.) — checksummed and versioned by the registry
• Signed releases — GPG/cosign signatures on GitHub release artifacts
• Pinned versions + checksum verification — download a specific tagged release and verify SHA256 before executing
• Some combination of the above

Once the CLI install method is updated, the install instructions in all skill SKILL.md files will need to be updated accordingly.

Context

• Slack message from Jesse (2026-04-13) noting this blocks adoption for their team's Snowflake MCP workflow
• Audit details visible at https://skills.sh/exploreomni/omni-agent-skills

[ernestoongaro]

Proposed rollout plan:

1. Add Homebrew as the default install path via an ExploreOmni tap formula in exploreomni/homebrew-tap.
   • Phase 1 install commands:
     • brew install exploreomni/tap/omni
     • or brew tap exploreomni/tap && brew install omni
2. Keep the current curl ... | sh path in place as a fallback while downstream skills/docs migrate.
3. Follow up with a separate curated homebrew/core submission so fresh installs can eventually use brew install omni with no tap step.
4. Keep both the explicit tap install (brew install exploreomni/tap/omni) and the core install working during the migration window.

Important implementation detail: phase 1 is no longer using GoReleaser's deprecated brews integration. Instead, the release workflow will render and publish Formula/omni.rb into exploreomni/homebrew-tap from the tagged release artifacts and checksums. The eventual homebrew/core formula will still be maintained separately.

[n8agrin]

closing as won't fix. We're not going to stop offering the shell install option, just going to offer other options as well.