open-persona

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to search, fetch, and install community persona packs and skills from public registries (e.g., openpersona.co via openpersona search, ClawHub/skills.sh npx clawhub search / https://skills.sh/api/search, GitHub owner/repo installs, and Hugging Face dataset repos), which are untrusted user-generated sources that the agent is expected to read/interpret and that can materially change tool use and runtime behavior.