data-download

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These are Google Drive direct-download links — while Drive is legitimate, personal file-hosting links can easily be used to distribute unverified executables or malicious files and obscure the uploader, so they should be treated as high risk unless the file, checksum, and uploader are independently verified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill and its required workflows explicitly fetch and ingest arbitrary public web content (e.g., SKILL.md and references list direct HTTP/GitHub/HuggingFace/Kaggle/UCI/Google Drive downloads) and the provided scripts (scripts/batch_download.py and scripts/download_file.py) read URLs and download files from arbitrary public sources, meaning untrusted, user-provided third‑party content is ingested and can influence subsequent validation and processing steps.