setup-ast

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs cloning and building public grammar repositories (e.g., the "Clone grammars" section with git clone https://github.com/tree-sitter/tree-sitter-*.git and community repos like alex-pinkus/tree-sitter-swift and fwcd/tree-sitter-kotlin), which are untrusted, user-maintained third-party sources whose contents are ingested and used to build/drive AST extraction and parsing that can materially influence subsequent tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill performs runtime git clones of external grammar repositories (e.g., https://github.com/tree-sitter/tree-sitter-javascript.git and other tree-sitter grammar URLs) which are required dependencies and are fetched and built/executed locally (tree-sitter generate/build), so they can directly introduce/executed remote code and represent a supply-chain risk.