skill-auditor

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones GitHub repositories (Phase 0: "git clone --depth 1 --single-branch " with validated GitHub URLs) and then reads/analyses the repo's SKILL.md, scripts, and reference files via Phase 1 sub-agents—i.e., it ingests untrusted, user-generated public repo content as part of its required workflow, which could contain prompt-injection text that materially influences the audit's findings and verdict.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly clones arbitrary GitHub repositories at runtime (e.g., https://github.com//) and then reads SKILL.md and other files into agent sub-agents for analysis, so fetched remote content can directly influence prompts/agent behavior.