local cache validation
Before executing cached application sources from sccm, there is no further validation of the hash against server etc.
The problem is, that everyone who is familiar with sccm or does only minor research in where to find cached files, could change the setup files to whatever he wants
And those files are afterwards executed in system context.
Some users already do their testing to install services etc in system context executed by SCCM!