warden

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly supports fetching and running remote SKILL.md files from public GitHub repos (see references/creating-skills.md "Remote Skills" and CLI examples like warden add --remote ... in references/cli-reference.md), which are untrusted, user-generated third‑party content that the agent reads/interprets and can materially change tool behavior (triggers, fixes, commands), so it can enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill documentation explicitly allows fetching remote skills (e.g., https://github.com/getsentry/skills or owner/repo@sha) at runtime to load SKILL.md files which directly control agent prompts/instructions, and Warden will rely on those remote repos as required skill dependencies unless run with --offline or cached copies—so this is a runtime external dependency that can control the agent.