setup-engine

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (steps 3, 7, and 10) explicitly uses WebSearch and instructs the agent to "fetch and extract" official documentation, migration guides, changelogs, and other public web pages to populate reference docs and to check deprecated APIs, meaning untrusted public third‑party content will be read and can materially change agent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly performs runtime WebSearch and “fetch and extract” of official engine documentation (e.g., https://docs.godotengine.org, https://docs.unity3d.com, https://docs.unrealengine.com) to populate reference docs and update agent instructions, meaning external URLs fetched at runtime will directly influence agent prompts/instructions.