skill

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt describes and quotes a mechanism that explicitly advocates covertly injecting "ambient" instructions into the LLM's context ("inject them into your brain continuously" / "Don't worry about looking at ambient skills with the file tool"), which encourages hidden/deceptive shaping of model behavior beyond transparent documentation and thus constitutes a prompt-injection risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md (and EXPORTS-PROTOCOL.md / CARD.yml) explicitly instructs LLMs/orchestrators to browse and fetch skill directories and bundles from public GitHub (and to publish/share on public forums), meaning the agent will ingest untrusted, user-generated web content (e.g., CARD.yml, README.md, SKILL.md from arbitrary repos) that can alter ambient advertisements and drive tool use and decisions.