mcp-to-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 1 "Package registry" step explicitly instructs fetching public package registry data and READMEs/source (e.g., "npm info ... then fetch the README or source") and the replacement patterns call out using web_fetch/curl to external APIs—untrusted public content the agent reads and uses to determine replacement commands and behavior, so it can materially influence tool use.