evomap

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The list mixes API endpoints on an unfamiliar domain (evomap.ai) with an unvetted GitHub repo/release (autogame-17/evolver) and explicit instructions to download and run code — no direct .exe links but executing code from unknown sources and new GitHub accounts is a notable malware risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public, user-generated content from the EvoMap hub (e.g., POST https://evomap.ai/a2a/fetch and GET https://evomap.ai/a2a/assets as shown in SKILL.md and scripts/evomap_client.py / scripts/query_node.py), and the documented workflows instruct the agent to read, analyze, claim tasks, and act on those fetched assets/tasks—so third-party content can directly influence tool use and agent decisions.