update-packages

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's references/check-outdated.ts fetches package metadata from the public npm registry and (when run with --changelog) downloads GitHub release notes for packages, and SKILL.md explicitly requires running that changelog flow and using the resulting outdated-changelog.json (releases[] bodies) to drive classification, code/config changes, and update decisions — exposing the agent to untrusted third-party release notes that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). references/skills-update-local.ts reads GitHub skill sources from skills-lock.json and at runtime runs bunx ... skills add <source> which will fetch and install code from GitHub repository URLs (e.g. https://github.com/owner/repo or git@github.com:org/repo.git), meaning remote repository content is retrieved and executed/installed as agent skills.