claude-code-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly exposes WebFetch/WebSearch and third-party MCP servers (see "Available Tools" in SKILL.md / README and the mcp_config.example.json showing github/slack), and the CLI (src/index.ts) lets persistent sessions and the 'call' command invoke those tools so the agent can fetch and interpret untrusted public web/social content and then take tool-driven actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill can spawn npx at runtime to run packages like "@modelcontextprotocol/server-filesystem" and "@modelcontextprotocol/server-github" (e.g. "npx -y @modelcontextprotocol/server-filesystem"), which causes remote code to be fetched from the npm registry (https://registry.npmjs.org/) and executed to provide MCP servers relied upon by the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill exposes arbitrary Bash execution and file read/write/edit tools, including options that can bypass permission prompts (e.g. "bypassPermissions") and allow configuring tool patterns, which enables modification of system files or running sudo-like commands and thus can compromise the host.