update-nexus

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). This is a GitHub repository from an unverified/unknown user that would be used to pull and execute update scripts on your system; while GitHub is common, lack of reputation/verification and the fact the repo provides code meant to be run makes it potentially risky.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill automatically fetches and syncs from an upstream public GitHub repo (default https://github.com/beamanalytica/Nexus-v4.git), parses the upstream JSON and file-change listings, and displays/applies those third-party files as part of its update workflow, exposing the agent to untrusted repository content that could carry indirect prompt-injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime "sync" uses an upstream git remote (default https://github.com/beamanalytica/Nexus-v4.git) to pull and replace core system files/skills, which can modify agent prompts or introduce/execute remote code during runtime.