plugins-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports adding/installing marketplaces and plugins from public GitHub/GitLab/URL sources (see SKILL.md "Distribution methods" and "/plugin marketplace add ...") and documents that plugin components (commands/.md, agents/.md, skills/*/SKILL.md) contain Markdown instructions the agent will load and act on, so untrusted third-party repositories/marketplace JSON can be fetched and their user-authored instructions can influence the agent's behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill documentation explicitly shows adding external marketplaces and plugin sources at runtime — e.g. "/plugin marketplace add https://example.com/marketplace.json" and git URLs like "https://gitlab.com/user/repo.git" (and SSH forms like "git@github.com:org/repo.git") — which the platform will fetch at runtime and load plugin manifests and command/agent SKILL.md files that directly control model prompts/instructions, so this is a high-confidence risky runtime external dependency.