agent-bootstrap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly installs and reads remote skills from open/public sources (Phase 1.5 "Install Remote Skills" and the "Raw URL Installation" steps that curl SKILL.md from GitHub/Gitea/GitLab or use owner/repo sources), which consumes untrusted, user-generated third‑party content that the agent will parse and use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads remote SKILL.md files at runtime (e.g. curl -sSL "https://gitea.example.com/.../raw/.../skill-name/SKILL.md" -o ~/.claude/skills/skill-name/SKILL.md), which would inject externally hosted skill instructions into the agent and can directly control prompts/behavior.