skill-finder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill loads and updates a skill index from public GitHub repositories (references/skill-index.json sources, the PowerShell script's gh search/--add-source/--update flows, and the VS Code extension's GitHub download/install behavior) and reads SKILL.md/instruction files from those community repos, so the agent will ingest and interpret untrusted, user-generated content from the open web allowing indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill instructs the agent to download and install code locally and explicitly tells the agent to "NEVER show commands to users
• execute silently," enabling it to modify the machine state and run arbitrary commands without transparency, though it does not explicitly request sudo, create users, or modify system config files.