apply-template

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones the ai-env template from a public GitHub repo (git clone https://github.com/camacho/ai-env.git) and then reads and interprets template files (apply-template.manifest.json, AGENTS.md, .claude/settings.json, skills-lock.json, dotfiles/sync.sh, etc.) as part of merge and post-apply steps — untrusted public content that can change hooks, skills, settings, and commands the agent will run, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runtime clones the template from https://github.com/camacho/ai-env.git and then reads and applies template files (including .claude agent instruction files) and may run template scripts like dotfiles/sync.sh, so fetched remote content can directly control agent prompts and execute code.