groove-admin-install

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill's required install steps fetch companion skills from public GitHub URLs (e.g., the npx skills add https://github.com/vercel-labs/skills --skill find-skills and similar lines in the "Install companion skills" step of SKILL.md), pulling untrusted third‑party code/docs into the agent environment which can materially change subsequent tool use or behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs npx install commands at runtime that fetch and install remote skills (including SKILL.md that controls agent prompts or may execute code) from https://github.com/vercel-labs/skills, https://github.com/vercel-labs/agent-browser and the npx package andreadellacorte/groove, so external content fetched at runtime can directly control prompts or run code.