pluginstaller

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly fetches and parses a user-provided GitHub repo ("Fetch the repo and locate the plugin root by finding .codex-plugin/plugin.json"), so it ingests untrusted third-party (user-generated) content whose manifest and files directly influence installation and marketplace actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches a user-supplied GitHub repository at runtime (e.g., https://github.com/owner/repo or git@github.com:owner/repo.git), and that fetched plugin bundle (including a skills/ directory and plugin manifest) is a required dependency whose contents will be installed into Codex and can directly introduce instructions/skills that control agent behavior.