dependency-vulnerability-scanner

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests data from public third-party sources (e.g., "wget https://github.com/.../dependency-check-8.0.0-release.zip", "pip install pip-audit", "npm install -g snyk") and reads tool outputs like "npm audit --json > audit-report.json", so the agent consumes untrusted public vulnerability/advisory data that can materially influence remediation actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill contains an explicit runtime download-and-execute step (wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.0.0/dependency-check-8.0.0-release.zip followed by unzip and ./dependency-check/bin/dependency-check.sh), which fetches remote code and then runs it, satisfying the criteria for executing external code at runtime.