zai-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and references/examples.md explicitly describe fetching and processing open/public web content and GitHub repositories (e.g., "real-time web search", "web page to markdown extraction", "Research Topic with Web Search", "Explore GitHub Repository"), so the agent will ingest untrusted third‑party content that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs users to run "npx zai-cli ..." which causes the zai-cli package to be fetched from the npm registry and executed at runtime (see https://www.npmjs.com/package/zai-cli), meaning remote code is downloaded and run as a required dependency.