skills-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and evaluate public skill pages (e.g., "use WebFetch on https://skills.sh///" and the remote-skill-assessment steps) so the agent will ingest untrusted, user-published web content and act on it (ranking/recommendations), which can enable indirect prompt injection from those third-party pages.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the agent to fetch remote skill pages at runtime (e.g., WebFetch https://skills.sh///) and to install ecosystem skills via npx which pulls from GitHub (e.g., https://github.com/vercel-labs/add-skill), so external content would be fetched during runtime and injected into the model's assessment/decision flow (and npx/git installs can execute remote code).