install-github-plugin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly clones arbitrary GitHub repositories via the gh CLI and instructs the operator to read one or two SKILL.md files from those repos to generate a marketplace manifest (see Workflow steps 1 and 3), so untrusted, user-generated repo content is ingested and can influence plugin installation and agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs gh repo clone / (i.e., cloning arbitrary GitHub repositories at runtime) and then installs/loads repository-provided SKILL.md, agents/, and hooks/ content which can directly control agent prompts and lifecycle behavior (and may execute code), so the GitHub repo URL used in "gh repo clone /" is a runtime external dependency that controls the agent.