skillmarketplace

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs retrieving an OIDC token and then embedding it in a curl Authorization header (curl -H "Authorization: Bearer $TOKEN"), which requires the agent to handle and insert a secret into generated commands/requests.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These are moderately to highly suspicious: the GitHub release zip/release URLs can deliver arbitrary binaries from unknown accounts (a common malware vector), the Fly.io gateway can host uploaded skill bundles, and the localhost OIDC endpoint could be abused to obtain sensitive tokens—together posing a significant risk of malware distribution or token misuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md's "Searching & Installing Skills" section requires using the search_skills tool which searches public community-skills indexes and the global skills.sh ecosystem and auto-installs third-party skills, meaning the agent will fetch and ingest untrusted, user-contributed skill content that can alter its behavior.