skill-creator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to "Installing from GitHub (use repo-research) — clone → read → remove" and to "copy only the target skill folder into skills//", which requires cloning and reading arbitrary public GitHub repos (untrusted, user-generated content) as part of the workflow and thus could allow indirect prompt-injection to influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs cloning GitHub repositories at runtime via the repo-research workflow (e.g., https://github.com/...) to copy SKILL.md/references into skills/, which means fetched external repo content could directly supply prompts/instructions or code the agent would ingest—so this is a real runtime dependency that can control agent behavior.