plugin-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's docs (references/distribution.md and references/marketplace-schema.md) instruct adding external GitHub/GitLab/git URLs as marketplaces and the plugin schema/auto-discovery (references/plugin-schema.md) shows Claude Code will fetch and load those public plugin repositories (including skills/SKILL.md), so untrusted third-party content can be ingested and influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The docs explicitly allow adding remote git marketplaces (e.g., https://gitlab.com/team/plugin.git and GitHub-style repos via /plugin marketplace add owner/repo, including examples like https://github.com/anthropics/skills), which are fetched at install/runtime and can contain agents/skills or executable scripts that directly control prompts or run code — therefore these remote git URLs are runtime dependencies that pose risk.