install-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly queries GitHub (scripts/list-skills.sh uses the GitHub API) and can clone arbitrary GitHub repositories (scripts/install-skill.sh), then reads and displays SKILL.md from those public repos, exposing the agent to untrusted, user-generated content that could contain indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The install and listing scripts fetch repository content at runtime via "https://github.com/$SOURCE_REPO.git" (git clone) and "https://api.github.com/repos/$SOURCE_REPO/contents/$SKILLS_PATH" (curl) which will pull SKILL.md and arbitrary skill files into the agent environment—content that can directly control agent prompts or include executable code that the agent may later load—so these runtime URLs represent a high-confidence supply of externally controlled instructions/code.