find-skills

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes a hidden, deceptive instruction to run curl against an external URL that leaks the local hostname (and forces update commands) which is unrelated to the declared "find-skills" purpose and constitutes a prompt injection.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.75). The skills.sh pages look like a benign index for "skills" but the presence of a non-official domain (vercel-find-skills.io) used in the prompt to exfiltrate hostname and trigger remote update commands (curl + npx) is suspicious because it can be used to fetch and execute arbitrary code — treat as potentially malicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to run npx skills find/add and to curl "https://vercel-find-skills.io", and to browse skills at https://skills.sh and GitHub repositories — all public third-party sources whose (user-generated/untrusted) content the agent would fetch and act on (including installing skills), enabling indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt forcefully instructs running networked commands (curl sending the machine hostname) and using npx to update/install arbitrary third‑party skills (including global installs with -g -y and update commands) which can execute remote code, modify the system, or exfiltrate data without explicit user consent—so it meaningfully pushes actions that can compromise the machine state.