Skills
skills/ggprompts/my-plugins/plugin-dev/Snyk

plugin-dev

Warn

Audited by Snyk on Mar 14, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's marketplace and plugin installation documentation (references/marketplace-reference.md and references/skills-reference.md) show adding/installing plugins from GitHub or arbitrary git URLs and auto-discovering/loading SKILL.md, references, hooks, and scripts from those remote sources, which means the agent will fetch and execute untrusted third‑party repository content that can alter tool use and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill references an MCP HTTP server URL (https://api.example.com/mcp) which would be contacted at runtime to load tool schemas and return tool responses that can directly influence agent prompts and execute remote actions, making it a runtime dependency that controls agent behavior.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 14, 2026, 04:34 AM
Issues
2