ai-cli-helper

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflows explicitly install remote skills via "npx skills add owner/repo" (see subskills/manage-skills.md and references/vercel-skills.md), and the vercel-skills.md evidence shows remote SKILL.md frontmatter is copied into .agents/skills/ and Claude Code reads and executes hooks/fields from those SKILL.md files—meaning arbitrary public GitHub skill content (untrusted third‑party) is ingested and can change agent tool use and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running npx to fetch remote GitHub skills at runtime (e.g., npx skills add vercel-labs/agent-skills / owner/repo), and the docs show that fetched SKILL.md frontmatter (hooks, prompt hooks and command hooks) is preserved and processed by Claude Code — meaning remote repo content can inject prompts or cause command execution when installed/activated.