cli-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's installer and updater scripts explicitly fetch and act on public, user-controlled resources (e.g., scripts/installers/github_release_binary.sh, scripts/installers/github_clone.sh, and scripts/install_composer.sh use curl/git to pull from GitHub/GitLab/getcomposer.org), and those fetched contents are parsed and executed as part of the install/update workflows, exposing the agent to untrusted third-party content that can materially change behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer script scripts/install_composer.sh downloads and installs a remote PHAR from https://getcomposer.org/download/latest-stable/composer.phar at runtime (curl -fsSL ...), which fetches and installs/executes remote code required by the install flow, so this URL is a high-confidence runtime dependency that can execute remote code.