skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and installs content from arbitrary GitHub repositories (see scripts/install-skill-from-github.py and scripts/list-skills.py which call the GitHub API and download repo zip/git-checkout), so untrusted third-party repo contents (including SKILL.md and code) are ingested and can directly alter agent behavior by installing new skills.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The installer scripts explicitly download and/or git-clone arbitrary GitHub repositories at runtime (e.g. https://codeload.github.com///zip/, https://api.github.com/repos///contents/, and git@github.com:/.git), and those fetched SKILL.md and skill files are required dependencies that can directly control agent prompts or include executable code when installed.