skill-system-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's installer and listing scripts (scripts/install-skill-from-github.py and scripts/list-curated-skills.py, using github_request/_download_repo_zip and the GitHub API) fetch and install arbitrary public or user-specified GitHub repo paths (untrusted, user-generated content) into the agent's skills directory, which can materially change agent behavior by adding/executing new skill code.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The installer scripts fetch and install arbitrary GitHub repositories at runtime (e.g. https://codeload.github.com/{owner}/{repo}/zip/{ref} and https://api.github.com/repos/{repo}/contents/{path}?ref={ref}), and the fetched SKILL.md and code are written into the agent's skills directory—allowing remote content to directly control agent instructions or introduce executable code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). Flagged because the prompt explicitly instructs the agent to "request escalation" (i.e., obtain elevated privileges) when running its install/update scripts and lists fs.write and proc.exec effects that can modify or overwrite files on the host.