add-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow and fetch_skill.py explicitly download arbitrary skill directories from GitHub URLs (e.g., via git sparse-checkout of https://github.com/... in scripts/fetch_skill.py) and installs their SKILL.md and code into .agents/skills/, meaning untrusted, user-controlled repository content can be ingested and influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's runtime fetches arbitrary GitHub repositories (e.g., via URLs like https://github.com/{owner}/{repo}.git or examples such as https://github.com/OpenHands/skills/tree/main/skills/codereview) using git sparse-checkout and installs their SKILL.md and code into the agent workspace — which directly supplies agent instructions and can include executable code, so this is a high-confidence risk.