team-roles

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests untrusted third‑party content — it performs git clone on arbitrary GitHub URLs (references/add-flows.md A1-1), uses WebFetch to download arbitrary file URLs (A2-1), and installs/scans npx packages (A3), then reads/parses those .md files to decide verification, installation, conflict resolution, and updates, so external content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). At runtime this skill explicitly fetches remote role content (e.g., git-clone of GitHub repos such as https://github.com/user/my-roles, direct file downloads like https://raw.githubusercontent.com/user/roles/main/reviewer.md, and npx package sources such as antfu/skills@vite) and installs those Markdown “role” files which are used as agent role/instruction content, so the fetched external content can directly control agent prompts.