Is it Sparkle or are you loading a web page using the script? I have a few large companies with paloaltonetworks software running. The domain being used for either could trigger it if not added to their list of known domains.
Update: XDR flagged 17 apps on my company issued mac as malware. It prevents me from using those apps. I have converted the ones I still use to Apple applets, which do no get flagged, and deleted the rest.
One app that was flagged was an old version of Script Geek. The new version (2.02) was not flagged. In that case it seems the exec file was also the issue.