universal-skills-manager

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks users to provide their SkillsMP API key, stores it in-session, and embeds it verbatim into produced artifacts (config.json inside ZIP) and into API request headers/commands, requiring the LLM to handle and output secret values directly.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These URLs point to community-hosted skill catalogs, APIs, GitHub repositories and raw download endpoints (including a raw install.sh and ClawHub zip/download endpoints) which are legitimate sources but also allow direct download and execution of arbitrary code—so they pose a moderate-to-high risk unless each repository, raw script and packaged artifact is validated and vetted before running.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly performs searches and fetches SKILL.md and other files from public, user-contributed sources (SkillsMP via githubUrl/raw.githubusercontent.com, SkillHub at https://skills.palebluedot.live, ClawHub at https://clawhub.ai, and GitHub) as required parts of its install/discovery workflow (see "Core Capabilities" and the "Installing from SkillsMP/SkillHub/ClawHub" sections), so untrusted third‑party content can directly influence installation, syncing, and subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches SKILL.md and other install files at runtime from external hosts (e.g., https://raw.githubusercontent.com/{user}/{repo}/{branch}/{path}/SKILL.md and ClawHub's file endpoint https://clawhub.ai/api/v1/skills/{slug}/file?path=SKILL.md), which directly control agent prompts/instructions, and it even suggests executing remote installer code via curl -fsSL https://raw.githubusercontent.com/jacob-bd/universal-skills-manager/main/install.sh | sh, so these runtime fetches meet the criteria for risky external control or remote code execution.