skills-sync

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The tool reads repository URLs from repos.txt and then clones those external Git repositories (sync_repo_to_global / run_git_command using TEMP_CLONE_DIR) and extracts SKILL.md files from .cortex/skills/* and .claude/skills/* which are fed into to_prompt() to generate .cursor/rules/skills.mdc, so untrusted, user-provided repository content is ingested and can influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script reads and clones repository URLs from repos.txt at runtime (e.g., https://github.com/anthropics/skills) and injects extracted SKILL.md content into generated Cursor rules (directly controlling agent prompts), and it also executes remote installer code at runtime (curl -LsSf https://astral.sh/uv/install.sh | sh) and installs a runtime pip package from git (git+https://github.com/agentskills/agentskills.git#subdirectory=skills-ref), so remote content is both fetched/executed and required for the tool's operation.