skillhub-guide

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). They point to an install script and docs hosted on a Tencent Cloud Object Storage bucket (myqcloud.com); although the domain is a legitimate CDN, providing a direct .sh installer from an unverified bucket is a common malware distribution vector and running curl|bash on it is risky without inspecting and verifying the script.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's required workflow (SKILL.md) instructs the agent/user to run "skillhub search " and to fetch an upstream installer (curl -fsSL https://skillhub-1388575217.cos.ap-guangzhou.myqcloud.com/install/install.sh), meaning it will ingest publicly hosted Skillhub marketplace content and remote installer scripts that could contain untrusted instructions influencing subsequent search/install actions.