groove-admin-install

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and installs companion skills from public GitHub URLs in step 4 (e.g., running "npx skills add https://github.com/vercel-labs/skills --skill find-skills" and similar), which brings untrusted third-party content into the agent runtime and could contain instructions that materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs npx to fetch and install remote skill repositories at runtime (e.g. https://github.com/vercel-labs/skills, https://github.com/vercel-labs/agent-browser, and the andreadellacorte/groove repo referenced by npx skills add), which will install SKILL.md-backed companion skills that the agent will load and thus allow remote content to control prompts or supply executable skill code.