skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This installer autonomously scans user locations like Downloads/Desktop (see scripts/detect_skills.py DEFAULT_SCAN_LOCATIONS) and parses SKILL.md frontmatter (parse_yaml_frontmatter) to decide names, versions, detect candidates, and auto-install (--detect --auto), so it clearly ingests untrusted/user-provided SKILL.md content and acts on it as part of its workflow (e.g., determining installs/overwrites and registry updates), enabling indirect prompt-injection vectors.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). Yes — the installer skill explicitly instructs the agent to scan user folders, copy/overwrite, backup/restore, uninstall and re-register skills and modify registry files (including automatic --auto installs and rollbacks), which directs the agent to make broad, potentially destructive changes to the host filesystem and thus compromises machine state.