try

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to clone and inspect public GitHub repos and to install/read npm/pip packages (see Phase 0/Phase 1 recon: README, package manifests, src/, examples/, tests) — untrusted third‑party content the agent must read and act on to choose primitives, write/run scripts, and compose follow‑on actions, enabling indirect prompt injection.