install-skills

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly fetches and installs content from public GitHub repositories (scripts/install-skill.sh clones https://github.com/$SOURCE_REPO and scripts/list-skills.sh queries https://api.github.com/repos/$SOURCE_REPO/contents/...), reads SKILL.md descriptions, and installs arbitrary community skill files that can influence agent behavior, so untrusted third‑party content could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The scripts perform runtime fetches from GitHub (e.g., git clone "https://github.com/$SOURCE_REPO.git" and curl "https://api.github.com/repos/$SOURCE_REPO/contents/$SKILLS_PATH") and may also invoke npx add-skill; the fetched SKILL.md and repository files are installed and can directly control agent prompts or include executable code, so the GitHub API/clone URLs are a high-confidence runtime risk.