update-packages

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md Step 0 is mandatory and directs running references/skills-update-local.ts, which reads skills-lock.json and runs "bunx ... skills add" for entries with sourceType == "github", meaning the agent fetches and installs user-authored GitHub skill repos (untrusted third‑party content) that can alter agent instructions and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script reads GitHub sources from skills-lock.json and at runtime runs bunx skills@latest add <source> (i.e. GitHub URLs such as https://github.com// or git@github.com:/.git), which fetches and installs remote skill code that can execute code and/or control agent instructions, so these external repo URLs are runtime dependencies that directly affect agent behavior.