create-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflows (e.g., SKILL.md Phase 0 & Phase 3 and references/workflow-research.md/workflow-author.md) explicitly instruct the agent to fetch/read public third-party URLs (GitHub repos, raw.githubusercontent.com, docs.anthropic.com and other web docs via WebFetch or git clone) and to use those fetched sources to drive research, authoring, review, and action decisions, exposing it to untrusted public content that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches remote content at runtime that is used to drive agent prompts/instructions — e.g., scripts/ensure_spec_repo.sh clones https://github.com/anthropics/skills.git and Phase 0 may WebFetch raw guidance at https://raw.githubusercontent.com/anthropics/claude-plugins-official/main/plugins/plugin-dev/skills/skill-development/SKILL.md — so these URLs are runtime dependencies that directly control the agent's behavior.