openword-player

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (medium risk: 0.65). The GitHub URL points to an unvetted third‑party repo (unknown author) that the skill explicitly instructs you to clone, run npm install/npm run dev and supply a sensitive GEMINI_API_KEY to a local web UI — actions that can execute arbitrary code and exfiltrate credentials — while the 127.0.0.1:30000 address itself is just a localhost endpoint used by that untrusted code; together this makes it moderately risky though not an obvious direct malware binary download.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow (SKILL.md and session-runbook.md) explicitly tells the agent to git clone and rely on the public GitHub repository https://github.com/dinghuanghao/openword.git and its README/runbook as the "source of truth" for install/startup and runtime behavior, meaning the agent will fetch and read untrusted third‑party content that can change how it runs and what actions it takes.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs at runtime to git clone https://github.com/dinghuanghao/openword.git and then run npm install / npm run dev, which fetches and executes remote code from that repository and is required for the skill to function.