skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's install and listing scripts explicitly fetch and ingest content from arbitrary GitHub repositories (scripts/install-skill-from-github.py downloads codeload.github.com or performs git sparse-checkout of user-provided repos/paths, and scripts/list-curated-skills.py queries the GitHub API for curated listings), which are public, user-controlled third-party sources that the agent reads as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer scripts make runtime requests to GitHub (e.g. https://codeload.github.com/{owner}/{repo}/zip/{ref} and https://api.github.com/repos/{repo}/contents/{path}?ref={ref}) to download skill repositories/contents which are then installed as Codex skills—remote content that can directly control agent prompts or contain executable skill code, so this is a required runtime dependency and a high-confidence risk.