skills-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly installs and runs skills from external git remotes and GitHub URLs (see SKILL.md's "bunx skills add " and references/cli.md "Sources accepted by add" listing GitHub shorthand/URLs and other git remotes), which are untrusted, user-controlled third-party sources that the agent will fetch and execute, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skills CLI explicitly installs remote git sources at runtime (e.g., https://github.com/owner/repo and shorthand vercel-labs/skills), and those fetched repositories become executable skill instructions that directly control agent prompts or can execute code, so they are a runtime external dependency.