ln-643-api-contract-auditor

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the worker to fetch mandatory "shared/references/..." files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path} when local files are missing, and those externally hosted, user-editable detection/scoring documents are required reads that directly drive analysis and decision-making (detection patterns, scoring rules), so untrusted content could alter the agent's behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs that missing reference files must be fetched at runtime via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}, and those fetched docs (detection patterns, scoring rules, templates) directly control the auditor's checks and scoring, making this a required external input that influences agent behavior.