install-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly scrapes public search results from skills.sh (search.mjs) and downloads arbitrary files from GitHub repos via the GitHub API (install.mjs), which are then read/installed as skills and can contain untrusted, user-generated instructions that may influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). install.mjs fetches skill files at runtime from GitHub (e.g. https://api.github.com/repos/${repo}/contents/${skillName} and the file.download_url raw GitHub URLs) and writes them into the project, which lets arbitrary remote files (including SKILL.md or executable code) directly control agent behavior or later be executed, so this is a required runtime dependency.