update-wyatt-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The script scripts/update.sh runs "pnpm dlx skills add Hu-Wentao/wyatt_skills", which fetches and installs skills from an external third-party repository (Hu-Wentao/wyatt_skills) and therefore ingests untrusted user-generated content that could change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The included script runs "pnpm dlx skills add Hu-Wentao/wyatt_skills", which fetches and executes remote package code (Hu-Wentao/wyatt_skills) at runtime and is a required dependency, so it can execute remote code and influence agent behavior.