auto-update-plugins

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill automatically reads GitHub repos declared in plugin-sources.json (check_and_sync.py calls the GitHub API and then runs plugin_add.py to clone/install owner/repo code on SessionStart), meaning it ingests and executes untrusted public GitHub content that can materially change agent behavior and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill queries the GitHub API at https://api.github.com/repos///commits?per_page=1 at runtime and, when changes are detected, runs plugin_add.py which clones and installs code from the specified GitHub repo (e.g. https://github.com/richfrem/agent-plugins-skills), meaning untrusted remote repository content can be fetched and executed during agent startup.