chezmoi-chef

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly instructs initializing from and cloning public GitHub repos (SKILL.md "Initialize on New Machine" with chezmoi init --apply github-username and the curl install one-liner) and documents that run_* scripts in the cloned source execute during apply, so untrusted user-generated repo content from the open web can be fetched and directly influence execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill documentation includes a runtime one-liner that runs remote code via sh -c "$(curl -fsLS https://get.chezmoi.io)" -- init --apply ..., which directly fetches and executes a script from https://get.chezmoi.io during installation/init and thus meets the criteria for a risky external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs the agent to run/apply dotfiles and arbitrary scripts (including curl|sh installers and run scripts that contain sudo package-install commands) and to manage sensitive files like SSH keys, which encourages modifying the machine state and using elevated privileges.