skill-building

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's evaluation workflow explicitly fetches and loads arbitrary public repositories (e.g., scripts/fetch_skill.py clones GitHub URLs and references/evaluating.md Step 1 instructs running it), meaning the agent ingests untrusted, user-generated SKILL.md and repo files which can directly influence security audits, decisions, and subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). scripts/fetch_skill.py performs a runtime git clone of arbitrary GitHub repositories (e.g. https://github.com/{owner}/{repo} or git@github.com:owner/repo.git) to retrieve SKILL.md and repo files that are then read and used to drive agent prompts/instructions, so remote content fetched at runtime can directly control the agent.