conan-vcpkg

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required workflow explicitly instructs fetching code and packages from public third‑party sources (e.g., SKILL.md "git clone https://github.com/microsoft/vcpkg.git" and references/package-manager-patterns.md's vcpkg_from_github), which are untrusted user‑generated sources that the workflow ingests and that can materially affect build/tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's vcpkg setup explicitly runs "git clone https://github.com/microsoft/vcpkg.git" and then "./vcpkg/bootstrap-vcpkg.sh" at runtime, which fetches and executes remote code and is required for the vcpkg functionality.