flagrelease

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads a public model (env-verify: "Download Qwen3-0.6B (if not cached)") and the install-stack step runs detect_network.py that probes GitHub/PyPI mirrors—both are untrusted third-party sources whose content and outputs are parsed and used to make gate/recommendation decisions in the pipeline.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clearly fetches and installs runtime packages and model weights (it probes GitHub/PyPI and downloads Qwen3-0.6B), so external sources such as https://pypi.org/ and https://github.com/ would be accessed at runtime to fetch and execute remote code required by the pipeline.