Create Skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Create Skill From Repository" workflow explicitly accepts a repo_link and instructs the agent to clone and perform a full project analysis of that repository, meaning it ingests arbitrary public/untrusted repository contents which the agent will read and act on to create skills, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill accepts arbitrary repository URLs via the repo_link parameter (e.g., https://github.com/owner/repo.git or git@github.com:owner/repo.git) and/or reference URLs and clones/fetches them at runtime to generate SKILL.md, meaning external content can be injected and directly control the agent's prompts/instructions.