skill-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and installs arbitrary public GitHub repositories/subdirectories into the agent's .claude/skills (see SKILL.md examples and scripts/install.sh which uses git clone and sparse-checkout to copy remote repos into .claude/skills), meaning untrusted user-generated content can be pulled in and then read/executed by the agent and thus influence its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). scripts/install.sh explicitly fetches and installs arbitrary GitHub repositories/subdirectories at runtime (e.g., https://github.com/anthropics/claude-code and https://github.com/jgtolentino/insightpulse-odoo/...), using git clone / sparse-checkout to pull remote SKILL.md and command files that will be placed into .claude and can directly control agent prompts or include executable content.