higgsfield-generate

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The raw.githubusercontent.com link points directly to an install.sh (a downloadable shell script) which is high-risk when run (especially via curl|sh) from a repo you haven't verified and can be used to distribute malware; the shop.example.com/sneakers URL is just a product page (not an executable) and is low-risk by itself, but the presence of the install.sh makes the overall set potentially dangerous.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Marketing Studio workflows explicitly fetch and ingest arbitrary public product pages (e.g., via "higgsfield marketing-studio products fetch --url " and the Click-to-Ad URL-driven flow), importing title/description/images from third‑party sites which the agent reads and uses to drive generation, so untrusted web content can materially influence subsequent actions.