openduck-distributed-duckdb

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md shows explicit runtime flows that ATTACH to arbitrary openduck endpoints (e.g., ATTACH 'openduck:mydb?endpoint=...&token=...') and run queries like SELECT * FROM cloud.users, meaning the agent will fetch and interpret data from external/untrusted databases via gRPC/Arrow IPC which could contain user-generated instructions that influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs cloning and building remote code from https://github.com/CITGuru/openduck (git clone ...; cargo build/run), which fetches and then executes external code as part of installation/runtime, so I flag that URL.