skill-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill manager fetches and installs skills directly from public GitHub repositories (see scripts/install.py which downloads or clones github.com repos and SKILL.md files) and its SKILL.md explicitly instructs to "browse the repo" and "read their SKILL.md for details", meaning untrusted, user-generated content is loaded and used to decide installs/syncs and trigger behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer fetches GitHub repositories at runtime (e.g., via https://codeload.github.com/{owner}/{repo}/zip/{ref} and direct GitHub URLs such as https://github.com/K-Dense-AI/claude-scientific-skills), and those repos contain SKILL.md files and bundled resources that will be loaded/installed and can directly control agent prompts/instructions—making this a required runtime dependency that can alter agent behavior.