marketplace-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill instructs Claude Code to fetch and load plugins and marketplace catalogs from external sources (e.g., marketplace.json entries and commands like /plugin marketplace add owner/repo that point to public GitHub repos or arbitrary git URLs such as "source": {"source":"github","repo":"owner/repo"} or "source": {"source":"git","url":"https://..."}), so the agent will read and interpret untrusted, user/community-provided content at runtime.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches remote plugins at runtime (e.g., the example plugin repository https://github.com/devtools/git-workflow) and those repositories can contain commands, agents, hooks, or MCP servers that directly define agent prompts and execute shell/node processes, so fetching them at runtime can control the agent and run remote code.