rill-clickhouse

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Step 2 "Load Required Guidance" explicitly instructs the agent to load rule files from public third-party locations (e.g., GitHub URLs and docs.rilldata.com and clickhouse-best-practices/rules/*), which the agent must read and use to drive diagnostics and edits, exposing it to untrusted external content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires and at runtime "loads applicable rules" from external repositories—most prominently https://github.com/ClickHouse/agent-skills (and referenced rill rule sources such as https://github.com/rilldata/rill/blob/main/runtime/ai/instructions/data/resources/model.md and https://docs.rilldata.com/...)—which means remote instruction files are fetched and used to control the agent's prompts/behavior and are a required dependency.