skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The installer explicitly downloads and writes arbitrary skill files from a catalog API (download_from_catalog in scripts/install_skill.py, and the SKILL.md "Install from catalog" flow) by GETting {api_url}/api/catalog/{vendor}/{skill} and saving the returned "content", which can install untrusted third-party code that could change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The installer calls requests.get at runtime to fetch skill packages from the catalog endpoint (f"{api_url}/api/catalog/{vendor_key}/{skill_key}") and writes arbitrary file contents to disk — which can include executable code or prompt/instruction files that will control agent behavior when installed, so this runtime URL fetch directly supplies code/instructions to the agent.