arcs-dev-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow (Operations 1 and 2) explicitly instructs the agent to git-clone a user-provided repository and run repository-supplied install/build scripts (e.g., bash prepare_listenai_tools.sh, prepare_toolchain.sh and ./tools/burn/cskburn), which means untrusted third-party repo content and binaries are fetched and executed and can therefore influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs a runtime git clone of the repository (https://gitlab.example.com/listenai/arcs-sdk.git) and then runs scripts/binaries from that repo (e.g., prepare_listenai_tools.sh, prepare_toolchain.sh, ./tools/burn/cskburn), so fetched remote content would be executed and is a required dependency.