skill-finder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly searches GitHub and fetches/reads SKILL.md and other repository files via gh API (see "Phase 3: Content Fetching" and "Installation Workflow" which download SKILL.md, README, and may run setup scripts), so it consumes untrusted public, user-generated content that the agent interprets and can drive actions like scoring, ranking, downloading, and installing—creating a clear indirect prompt-injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly fetches SKILL.md files at runtime (e.g., via the GitHub contents API: https://api.github.com/repos/OWNER/REPO/contents/PATH/TO/SKILL.md and via blob URLs like https://github.com/OWNER/REPO/blob/main/PATH/SKILL.md or by cloning repos with gh repo clone) and then "actually READ[s] the SKILL.md content" to drive semantic matching and evaluations (and may clone/run setup scripts), so remote content is fetched during runtime and directly controls the agent's prompts/behavior and can trigger execution of remote code.