skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This installer (scripts/install-skill.js) downloads arbitrary folders and files from user-supplied GitHub URLs using the GitHub API and entry.download_url, thereby pulling untrusted, user-generated content from the public web into the agent’s skill workspace where it can be read or executed.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer fetches arbitrary repository contents at runtime using the GitHub API URL pattern (https://api.github.com/repos///contents/) and the returned entry.download_url (commonly raw.githubusercontent.com links), which will download SKILL.md and executable scripts from the remote repo that can control agent prompts or be executed after installation.