skill-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill pipeline explicitly fetches and clones public, user-generated content from GitHub (pipeline.ts / scripts/search.ts use gh search and gh repo clone) and scrapes the skills.sh marketplace (scripts/search.ts fetches https://skills.sh/trending), then writes that untrusted repo/file content into /tmp prompt files (e.g. /tmp/skill-assessment-prompt.md and /tmp/skill-security-audit-prompt.md created by assess.ts, audit.ts, report.ts) which the Pi Agent/LLM is instructed to read and analyze—so it clearly ingests open/public third‑party content that could enable indirect prompt injection.