skill-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and processes content from arbitrary remote repositories (uses each Skill's source_url and git ls-remote in scripts/scan_and_check.py and the SKILL.md "更新 Skill" workflow states "Agent 从远程仓库获取新的 README" to compare and rewrite SKILL.md/update wrappers), meaning untrusted, third‑party README/repo content is read and can directly influence agent actions and updates.