direnv

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's stdlib and examples include functions that download and source arbitrary URLs from the open web (e.g., source_url and fetchurl with "https://example.com/script.sh" and raw GitHub links for nix-direnv), which causes the agent to ingest and execute untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill contains explicit runtime patterns that download-and-source remote scripts (executing code) — e.g., the troubleshooting/.envrc example uses source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.3.0/direnvrc" which, when run, fetches and executes remote code as part of environment evaluation.