env-setup

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URL points to an unverified GitHub repository (placeholder/unknown username) whose supplied Python script is intended to be cloned and executed — this could run arbitrary code and overwrite local files, so despite GitHub being a common host the unknown source and "run this script" instruction make it potentially dangerous.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly instructs cloning a (potentially public/untrusted) GitHub repo and running sync_env.py to import files such as config/CLAUDE.md and agents/*/system.md, which are user-generated third-party contents that the agent will ingest and that can directly change system prompts and agent behavior (e.g., the included CLAUDE.md thinking protocol).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs a git clone of the remote repo (git clone https://github.com/yourusername/claude-env-sync.git) during runtime and that repository contains config/CLAUDE.md which the sync script installs as the global prompt (directly controlling agent instructions), so this is a required runtime dependency that injects external prompt content.