sales-third-party

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These are third‑party skill pages on a single domain that reference unvetted user repositories and recommend installation via tools like npx (which will fetch and execute code), so although they aren't direct .exe/.msi downloads they still enable arbitrary code execution from unknown authors and therefore present a meaningful malware distribution risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This catalog skill (SKILL.md) explicitly instructs installing third-party packages from public repos (e.g., resciencelab/opc-skills, apify/agent-skills, coreyhaines31/marketingskills) and documents skills that search/retrieve Reddit, Twitter, Product Hunt and perform multi-platform web scraping, so invoking/installing these skills will fetch and execute untrusted, user-generated web content that can influence agent actions.