viboscope

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs fetching and using viboscope's public APIs and invite links (e.g., "curl ... https://viboscope.com/api/v1/skill" and "viboscope.com/match/@your_nick", and the "Step 3: Search" workflow), which requires the agent to fetch and interpret user-generated public profiles/match data from viboscope.com that could materially influence matching decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The install step explicitly fetches and installs remote skill content with curl (https://viboscope.com/api/v1/skill), which will be loaded as the agent's skill and therefore can directly control prompts/instructions and is a required runtime dependency.