excalidraw

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow's "Update check (notify, don't pull)" step explicitly runs git ls-remote against the upstream origin and may run git pull on the skill directory if the user agrees, meaning the agent fetches and can ingest external repository content from an upstream origin that could change the skill's behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill instructs global npm installation and an explicit sed "macOS patch" that edits files in the global npm package directory and also describes updating the skill directory (writing a .last_update file and optionally running git pull), which can mutate system- or environment-owned files (often requiring sudo), so it encourages actions that can change machine state even though it doesn't explicitly ask for sudo or creating users.