setup-mac-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and executes content from public third-party sources—e.g., the Homebrew installer from raw.githubusercontent.com (Step 3), the Node tarball from nodejs.org (Step 4), the astral.sh install script via curl|sh (Step 5), and GitHub repo zipballs/repos in Step 6—which are untrusted/user-controlled assets the agent ingests and may execute, so they can materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill directly executes remote install scripts at runtime (curl | bash) for Homebrew (https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh) and uv (https://astral.sh/uv/install.sh), which fetch and run remote code and are used as required install paths.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt instructs the agent to run system-level installation commands (xcode-select, Homebrew installer, softwareupdate) and even explicitly suggests using sudo to install Command Line Tools and non-GUI privileged operations, which modify the machine state and require elevated privileges.