capability-evolver

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). These links point to an unknown third‑party domain (evomap.ai) plus a low‑profile GitHub releases page (autogame-17/evolver) that can host executables or scripts and are coupled with instructions to download/run and even self-modify code, which matches multiple high‑risk indicators for potential malware distribution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill explicitly ingests external, potentially user-generated Genes/Capsules from the EvoMap/A2A network (see SKILL.md "A2A External Asset Ingestion" and scripts/a2a_ingest.js), stages them as candidates, and those assets can be selected/promoted and influence evolution/solidify actions (including running validated commands), so untrusted third‑party content can materially affect agent behavior.