workflow-creator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and loads community skills from public sources (scripts/download_skill.py clones arbitrary GitHub repos and copies SKILL.md, and the Skill Sources section lists many public directories/sites), and those downloaded SKILL.md files and skills are intended to be loaded/used by the agent (AGENTS.md is auto-loaded), which exposes the agent to untrusted third‑party, user‑generated content that could contain indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime download script (scripts/download_skill.py) clones external GitHub repositories (e.g., https://github.com/anthropics/skills) to pull SKILL.md/skill folders which are then placed into .claude/skills and can be auto-loaded as agent instructions, so remote content fetched at runtime can directly control prompts or behavior.