skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's installer and listing scripts (scripts/install-skill-from-github.py and scripts/list-curated-skills.py, using github_utils.py) explicitly fetch and download content from public GitHub (api.github.com and codeload.github.com) and install arbitrary repo paths (including SKILL.md and code) into $CODEX_HOME/skills, meaning untrusted, user-generated repository content is ingested and can change the agent's capabilities and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer scripts fetch and install skill content at runtime from GitHub (e.g., https://codeload.github.com/{owner}/{repo}/zip/{ref} and https://api.github.com/repos/{repo}/contents/{path}?ref={ref}), and those fetched SKILL.md files become agent skills that can directly control prompts/instructions, so these runtime downloads present a high-risk vector.