wait-for-ci

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Although the URL is a raw file on GitHub (a well-known host), it points to a TypeScript script from a personal repo that the skill tells you to execute directly via deno with broad permissions (--allow-run, --allow-env), which makes it potentially dangerous unless you review and trust the code and author.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill directs execution of a Deno script fetched at runtime from the public GitHub raw URL https://github.com/dtinth/wait-for-ci/raw/main/wait-for-ci.ts, meaning it ingests and executes untrusted third‑party content from the open web as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs remote code at runtime via Deno fetching and executing https://github.com/dtinth/wait-for-ci/raw/main/wait-for-ci.ts, so the fetched content directly executes and is a required runtime dependency.