configure-feature-flags

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md "Version Checking" section (marked CRITICAL) explicitly tells the agent to verify latest SDK/provider versions via WebSearch/WebFetch and by visiting public sites (npm, PyPI, GitHub releases), so the agent will fetch and interpret untrusted public web content that can change installation/configuration actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's CI/validation step runs "go install github.com/thomaspoignant/go-feature-flag/cmd/goff@latest", which downloads/builds and executes remote code from GitHub at runtime (github.com/thomaspoignant/go-feature-flag/...), making it a required runtime dependency that executes external code.