autoresearch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow instructs cloning a public GitHub repository (git clone https://github.com/karpathy/autoresearch) and running prepare.py which downloads the FineWeb-Edu shards, and explicitly directs an AI agent to read program.md and train.py from that repo to decide and perform autonomous experiment actions, so arbitrary third‑party content from the public repo/dataset can directly influence the agent's decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly installs and executes remote code at runtime (curl -LsSf https://astral.sh/uv/install.sh | sh in setup.sh) and clones/depends on the remote repo (git clone https://github.com/karpathy/autoresearch) whose train.py is later executed (uv run train.py), so these URLs provide required external code that is executed by the skill.